HP Compaq Pro 4300
Contents
1. 42 7 File Sanitizer for HP ProtectTOols cire eren ttim tucn tinea nadaanan Nna Lin E ERR oak sonnn Eben ibn unc c ERR NES e 43 SOUP elen e o 43 Opening File SanltiZer EE 43 Setting a free space bleaching schedule sssssse eene 44 ENWW Setting RRE UE 44 Selecting or creating a shred profile ssss enn 44 Selecting a predefined shred profile ssssssssssssssse 44 Customizing an advanced security shred profile ssseee 45 Customizing a simple delete profile ssssssssssssssseeemnenne 45 General TASKS m H 46 Using a key sequence to initiate shredding sesen 46 Using the File Sanitizer iCOn oti SCENE e be ARRE eed latns 46 Manually shredding one asset enne ener nennen nnns 47 Manually shredding all selected items sss nnne 47 Manually activating free space bleaching ssess nmn 47 Aborting a shred or free space bleaching operation sessem 48 viewing the Tog o 48 8 Embedded Security for HP ProtectTools ccccsesseeeeeseseeeseesesseeseesesneeesenseseeeeseseseneesensesneeesesessneeenseeeenens 49 SOUP proced res t E aaa 49 Installing Embedded Security for HP ProtectTools if necessary2. NOTE Because the password is protected by a TPM security chip if the hard drive is moved to another computer data cannot be accessed unless the TPM settings are migrated to that computer 1 Use Embedded Security for HP ProtectTools to activate the TPM 2 Inthe Administrative Console left pane expand Drive Encryption and click Encryption Management 3 Select the Enhance security with TPM check box 30 Chapter 5 Drive Encryption for HP ProtectTools ENWW Encrypting or decrypting individual drives 1 In the Administrative Console left pane expand Drive Encryption and click Encryption Management Click the Change Encryption button In the Change Encryption dialog box select or clear the check box next to each hard drive you want to encrypt or decrypt and then click OK Er NOTE When the drive is being encrypted or decrypted the progress bar shows the time remaining to complete the process during the current session If the computer is shut down or initiates Sleep or Hibernation during the encryption process and then restarts the Time Remaining display resets to the beginning but the actual encryption resumes where it last stopped The time remaining and progress display will change more quickly to reflect the previous progress Backup and recovery administrator task The Drive Encryption Backup and Recovery window allows Windows administrators to back up and recover encryption keys Creating backup k
3. ENWW iv About This Book ENWW Table of contents Wl OCH O E 1 HP ProtectTools features c cece eect ener seer ee cneeee sere eeneeeee nnnm nen nnn nn nen nn nen r rr nen nene ennemis 2 HP ProtectTools security products description and common use examples sssssessssessreerrrrrrr reene 3 Credential Manager Password Manager for HP ProtectTools aaeeea 3 Embedded Security for HP ProtectTools ssssssssse emen 4 Drive Encryption for HP ProtectTools semen 4 File Sanitizer for HP Proteci Tools aineosi i tti e dd tocca eec td teen coL 5 Device Access Manager for HP ProtectTools ssssse emm 5 Privacy Manager for HP ProtectTools eecccccnccciccineniienini memes 5 Computrace for HP ProtectTools formerly known as LoJack Dro 6 Accessing HP ProtectTools Security sssssssssesseeeeeeeeeeem eene nennen nennen nnn 6 Achieving key Security obJectiV6s ui eee t tena EEAEEEEEEEEA SEENEN 6 Protecting against targeted theft 2 ceo esit reste aco ea a 7 Restricting access to sensitive data 7 Preventing unauthorized access from internal or external locations suuusse 8 Creating strong password policies sssssssssene nennen nennen 8 Additional security elements 00 00 cee ett ee rir ee nnn eene nennen nennen ener nenne nennen enn 9 Assigning ei Lu Mr EE 9 Managing HP ProtectTools passwords
4. Advanced tasks Migrating Privacy Manager Certificates and Trusted Contacts to a different computer You can securely migrate your Privacy Manager Certificates and Trusted Contacts to a different computer To do this export them as a password protected file to a network location or any removable storage device and then import the file to the new computer Exporting Privacy Manager Certificates and Trusted Contacts To export your Privacy Manager Certificates and Trusted Contacts to a password protected file follow these steps 1 In the Security Manager left pane expand Privacy Manager and click Migration 2 Click Export migration file 3 Onthe Select Data page select the data categories to be included in the migration file and then click Next 4 On the Migration File page enter a file name or click Browse to search for a location and then click Next 5 Enter and confirm a password and then click Next E NOTE Store this password in a safe place because you will need it when you import the migration file 6 Authenticate using your chosen security logon method 7 On the Migration File Saved page click Finish Importing Privacy Manager Certificates and Trusted Contacts To import your Privacy Manager Certificates and Trusted Contacts to a password protected file follow these steps 1 In the Security Manager left pane expand Privacy Manager and click Migration 2 Click Import migration fil
5. Setting a default Privacy Manager Certificate Only Privacy Manager Certificates are visible from within Privacy Manager even if additional certificates from other certificate authorities are installed on your computer If you have more than one Privacy Manager Certificate on your computer that was installed from within Privacy Manager you can specify one as the default certificate 1 2 3 In the Security Manager left pane expand Privacy Manager and click Certificate Manager Click the Privacy Manager Certificate that you want to use as the default and then click Set default Click OK NOTE You are not required to use your default Privacy Manager Certificate From within the various Privacy Manager functions you can select any of your Privacy Manager Certificates to use Deleting a Privacy Manager Certificate If you delete a Privacy Manager Certificate you cannot open any files or view any data that you encrypted with that certificate If you have accidentally deleted a Privacy Manager Certificate you can restore it using the backup file that you created when you installed the certificate To delete a Privacy Manager Certificate 1 2 3 4 5 In the Security Manager left pane expand Privacy Manager and click Certificate Manager Click the Privacy Manager Certificate you want to delete and then click Advanced Click Delete When the confirmation dialog box opens click Yes Click Clos
6. 1 n the Security Manager left pane expand File Sanitizer and click Bleaching 2 Click Bleach Now 3 Anotification bubble will appear verifying that a bleach operation has begun ENWW General tasks 47 Aborting a shred or free space bleaching operation When a shred or free space bleaching operation is in progress a message above the HP ProtectTools Security Manager icon in the notification area is displayed The message provides details on the shred or free space bleaching process percentage complete and gives you the option to abort the operation To abort the operation A Click the message and then click Stop to cancel the operation Viewing the log files Each time a shred or free space bleaching operation is performed log files of any errors or failures are generated The log files are always updated according to the latest shred or free space bleaching operation Er NOTE Files that are successfully shredded or bleached do not appear in the log files One log file is created for shred operations and another log file is created for free space bleaching operations Both log files are located on the hard drive at e C Program Files Hewlett Packard File Sanitizer Username ShredderL og txt e C Program Files Hewlett Packard File Sanitize Username DiskBleachLog txt 48 Chapter 7 File Sanitizer for HP ProtectTools ENWW 8 Embedded Security for HP ProtectTools E NOTE The integrated Trusted Platform Mod
7. r HP ProtectTools Security Software Version 6 0 User Guide Copyright 2009 2010 Hewlett Packard Development Company L P The information contained herein is subject to change without notice Microsoft Windows and Windows Vista are either trademarks or registered trademarks of Microsoft Corporation in the United States and or other countries The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services Nothing herein should be construed as constituting an additional warranty HP shall not be liable for technical or editorial errors or omissions contained herein This document contains proprietary information that is protected by copyright No part of this document may be photocopied reproduced or translated to another language without the prior written consent of Hewlett Packard Company HP ProtectTools Security Software User Guide Third Edition November 2010 Document Part Number 581746 003 About This Book This guide provides basic information for upgrading this computer model A WARNING Text set off in this manner indicates that failure to follow directions could result in bodily harm or loss of life A CAUTION Text set off in this manner indicates that failure to follow directions could result in damage to equipment or loss of information E NOTE Text set off in this manner provides important supplemental information
8. ssssssseeeenn ennemis 9 Creating a secure password ener 10 Backing up credentials and settings sssssssseeee eene 11 2 HP ProtectTools Security Manager Administrative Console eene 12 About HP ProtectTools Administrative Console ssssssss eee enne 12 Using the Administrative Console sssssssssseseeeeeeneeenenen nemen nennen enne enne nen 12 Getting Started Setup Ward 13 CONTIQUFING your syslen E E annn 13 Enabling security E TE 14 Defining Security Manager authentication policies ssen 14 Here 14 SESSION mI 14 Defining SettingS m 15 Managing EE 15 AGING ERT HH 15 Removing a USEP EE 16 Checking user status arae edet OS dE deeg 16 ENWW Specifying device settings ccccceeccsccecceceeeeeeeeeeeceeeeeaneeceeeeeeeeeeeeeeadeceqeeaeaeeseeeeeeeeeeenees 16 Configuring Applications Settings esistissi arininn innana ERRENTE nennen emen AAAA 16 Encrypting Dive EH 17 Managing Re 17 3 HP ProtectTools Security Manager 1 eo oon tane an nha br asina hbri ean aa ku ba din nae hada oo oR SEE Rea e ohn kk Idae d an aRkdd 18 Logging in after Security Manager is configured emen 18 Managing pasewordes eene enne nememe nnn ennnemerid ninh renes rne n nnne irren nennen ennt nein 19 Setting credentials T 19 Changing your Windows password teers
9. A Stock Broker wants to transport extremely sensitive data to another computer using a portable drive She wants to make sure that only these two computers can open the drive even if the password is compromised The Stock Broker uses Embedded Security TPM migration to allow a second computer to have the necessary encryption keys to decrypt the data During the transport process even with the password only the two physical computers can decrypt the data Drive Encryption for HP ProtectTools Drive Encryption is most often used to restrict access to the data on the entire computer hard drive or a secondary hard drive Drive Encryption can also manage SED Self Encrypting Drive drives Example 1 A Doctor wants to make sure only he can access any data on his computer hard drive The Doctor activates Drive Encryption which enables preboot or requiring authentication before Windows login Once set up the hard drive cannot be opened without a password before it even boots to the operating system The Doctor could further enhance drive security by choosing to encrypt the data with the SED Self Encrypting Drive option 4 Chapter 1 Introduction to security ENWW Both Embedded Security and Drive Encryption for HP ProtectTools will not allow access to the encrypted data even when the drive is removed because they are both bound to the original motherboard Example 2 A Hospital Administrator wants to ensure only doctors and authorized personnel can a
10. gt green arrow gt Settings Organizing logons into categories ENWW Use categories to keep your logons in order It s a simple matter of creating one or more categories and drag and dropping your logons into the desired categories To add a category 1 In the Security Manager left pane select Password Manager 2 Select the Manage tab and click Add Category 3 Enter a name for the category 4 Click OK To add a logon to a category 1 Place your mouse pointer over the desired logon 2 Press and hold the left mouse button 3 Drag the logon into the list of categories Categories will become highlighted as you move your mouse over them 4 Release the mouse button when the desired category is highlighted Your logons are not moved to the category but only copied to the selected category That means that you can add the same logon to more than one category And you can always see all of your logon by clicking All Using the Logons menu 27 Managing your logons Password Manager makes managing your logon information user names passwords and multiple logon accounts painless and intuitive from one central location Your logons are listed on the Manage tab Whenever multiple logons have been created for the same website each logon is then listed under the website name and indented in the logon list To manage your logons In the Security Manager left pane select Password Manager and click the Manage tab Op
11. Access Manager Simple Configuration ENWW This feature allows you to deny access to the following classes of devices USB devices for all non Device Administrators All removable media floppy disks personal music players pen drives etc for all non Device Administrators All DVD CD ROM drives for all non Device Administrators All serial and parallel ports for all non Device Administrators To deny access to a class of device for all non Device Administrators 1 Click Start click All Programs click HP and then click HP ProtectTools Administrative Console In the left pane click Device Access Manager and then click Simple Configuration In the right pane select the check box of a device to deny access Click the Save icon Starting background service 53 amp NOTE If background service is not running it attempts to start now Click Yes to allow it 5 Click OK Device class configuration advanced More selections are available to allow specific users or groups of users to be granted or denied access to types of devices Adding a user or a group 1 Click Start click All Programs click HP and then click HP ProtectTools Administrative Console In the left pane expand Device Access Manager and then click Device Class Configuration In the device list click the device class that you want to configure Click Add The Select Users or Groups dialog box opens Click Advanced and then click F
12. Administrative Console only NOTE Drive Encryption is not supported on 64 bit operating systems when configured with RAID on systems that use an AMD processor Drive Encryption e X Allows you to encrypt everything on your internal hard drives e Gives you easy password access and pre boot authentication e Supports Microsoft Windows XP Windows Vista and Windows 7 e Makes use of the Trusted Platform Module TPM embedded security chip if equipped and configured with TPM Various tasks can be performed in Drive Encryption for HP ProtectTools e Manage Drive Encryption o Activate a TPM protected password Encrypt or decrypt individual drives Activate a self encrypting drive SED e Backup and Recovery Create backup keys Register for online recovery Manage an existing online recovery account Perform a recovery CAUTION If you decide to uninstall the Drive Encryption module or if you are using a backup and restore solution you must first decrypt all encrypted drives If you do not you will not be able to access the data on encrypted drives unless you have registered with the Drive Encryption recovery service Reinstalling the Drive Encryption module will not enable you to access the encrypted drives 29 Setup procedures Opening Drive Encryption 1 Click Start click All Programs click HP and then click HP ProtectTools Administrative Console 2 Click Drive Encryption General tasks Activatin
13. Do not prompt for this screen Select this option so that Password Manager will not prompt you again to add a logon for this specific logon screen e Never prompt Select this option to ensure that Password Manager never prompts you for logon screens that have not been set up Additional Privacy Manager settings are available by selecting Password Manager gt Windows password gt green arrow gt Settings in Security Manager 28 Chapter 4 Password Manager for HP ProtectTools ENWW 5 ENWW Drive Encryption for HP ProtectTools NOTE Drive Encryption for HP ProtectTools is available on some models only In today s world a computer belonging to you or anyone on your staff could be stolen and critical information about your company could be seriously compromised Encrypting everything on your computer hard drive makes it unreadable and inaccessible to any unauthorized person who might try to access it even if the drive has been removed from the computer or sent to a data recovery service Drive Encryption for HP ProtectTools software is the industry s first full volume encryption capability to be provided out of the box It provides complete data protection by encrypting your hard drive When Drive Encryption is activated you must log in at the Drive Encryption login screen which is displayed before Windows starts up NOTE Drive Encryption for HP ProtectTools can be enabled through the Setup Wizard in the HP ProtectTools
14. ProtectTools Security Manager as a central location from which you can back up and restore security credentials from installed HP ProtectTools modules Additional security elements 11 2 HP ProtectTools Security Manager Administrative Console About HP ProtectTools Administrative Console Administration of HP ProtectTools Security Manager is provided through the Administrative Console Using the console the local administrator can e Enable or disable security features e Manage users of the computer e Adjust device specific parameters e Configure Security Manager applications e A Add additional Security Manager applications Using the Administrative Console The Security Manager Administrative Console is the central location for administering HP ProtectTools Security Manager To open the console e Select Start gt All Programs gt HP gt HP ProtectTools Administrative Console or e Clickthe Administration link in the lower left corner of the Security Manager console The Administrative Console consists of two panes a left pane and a right pane The left pane contains the administrative tools The right pane contains the working area for configuring the tools The Administrative Console left pane consists of the following e Home Provides easy access to commonly used tasks including enabling security features specifying security credentials and managing users e System Manages configuration of system wide sec
15. Security for HP ProtectTools module encrypts sensitive data to help ensure it cannot be accessed without authentication See the following chapter o Embedded Security for HP ProtectTools on page 49 Computrace can track the computer s location after a theft See the following chapter Computrace for HP ProtectTools on page 57 Restricting access to sensitive data ENWW Suppose a contract auditor is working on site and has been given computer access to review sensitive financial data you do not want the auditor to be able to print the files or save them to a writeable device such as a CD The following feature helps restrict access to data Device Access Manager for HP ProtectTools allows IT managers to restrict access to writeable devices so sensitive information cannot be printed or copied from the hard drive onto removable media See Device class configuration advanced on page 54 Achieving key security objectives 7 Preventing unauthorized access from internal or external locations Unauthorized access to an unsecured business PC presents a very tangible risk to critical data such as information from financial services an executive or R amp D team and to private information such as patient records or personal financial records The following features help prevent unauthorized access The pre boot authentication feature if enabled helps prevent access to the operating system See the following chapters
16. characters and include special characters and punctuation marks Substitute special characters or numbers for letters in a key word For example you can use the number 1 for letters or L Combine words from 2 or more languages Split a word or phrase with numbers or special characters in the middle for example Mary2 2Cat45 Do not use a password that would appear in a dictionary Do not use your name for the password or any other personal information such as birth date pet names or mother s maiden name even if you spell it backwards Change passwords regularly You might change only a couple of characters that increment If you write down your password do not store it in a commonly visible place very close to the computer Do not save the password in a file such as an e mail on the computer Do not share accounts or tell anyone your password Introduction to security ENWW Backing up credentials and settings ENWW You can back up credentials in the following ways Use Drive Encryption for HP ProtectTools to select and back up HP ProtectTools credentials You can also register for Online Drive Encryption Key Recovery Service to store a backup copy of your encryption key which will enable you to access your computer if you forget your password and do not have access to your local backup Use Embedded Security for HP ProtectTools to back up HP ProtectTools credentials Use the Backup and Recovery tool in HP
17. generated Enter one or more e mail addresses of the recipients you want to add as Trusted Contacts Edit the text and sign your name optional Click Send NOTE f you have not obtained a Privacy Manager Certificate a message informs you that you must have a Privacy Manager Certificate in order to send a Trusted Contact request Click OK to launch the Certificate Request Wizard Authenticate using your chosen security logon method When you receive an e mail response from a recipient accepting the invitation to become a Trusted Contact click Accept in the lower right corner of the e mail A dialog box opens confirming that the recipient has been successfully added to your Trusted Contacts list Click OK Adding Trusted Contacts using your Microsoft Outlook address book 1 6 In the Security Manager left pane expand Privacy Manager click Trusted Contacts and then click the Invite Contacts button In Microsoft Outlook click the down arrow next to Send Securely on the toolbar and then click Invite All My Outlook Contacts When the Trusted Contact Invitation page opens select the e mails address of the recipients you want to add as Trusted Contacts and then click Next When the Sending Invitation page opens click Finish An e mail listing the selected Microsoft Outlook e mail addresses is automatically generated Edit the text and sign your name optional Click Send NOTE f you have not ob
18. on your computer and periodically bleach the hard drive write over data that has been previously deleted but is still present on the hard drive in order to make recovery of the data more difficult Chapter 1 Introduction to security ENWW Module Key features Smart Card Security part of Security Manager e Provides a management software interface for Smart Card HP ProtectTools Smart Card is a personal security device that protects authentication data requiring both the card and a PIN number to grant access The Smart Card can be used to access Password Manager Drive Encryption or any number of third party access points e Change PIN number Embedded Security for HP ProtectTools e Uses a Trusted Platform Module TPM embedded security chip if equipped to help protect against unauthorized access to sensitive user data or credentials stored locally on a PC e Allows creation of a personal secure drive PSD which is useful in protecting user file and folder information e Supports third party applications such as Microsoft Outlook and Internet Explorer for protected digital certificate operations Device Access Manager for HP ProtectTools e Allows IT managers or administrators to control access to devices such as USB ports optical drives personal music players etc based on user profiles e Prevents unauthorized users from removing data using external storage media and from introducing viruses into the system fro
19. pane click Embedded Security and then click Backup 3 Inthe right pane click Configure The HP Embedded Security for HP ProtectTools Backup Wizard opens 4 Follow the on screen instructions Restoring certification data from the backup file To restore data from the backup file 1 Click Start click All Programs click HP and then click HP ProtectTools Security Manager 2 In the left pane click Embedded Security and then click Backup 3 Inthe right pane click Restore all The HP Embedded Security for HP ProtectTools Backup Wizard opens 4 Follow the on screen instructions Changing the owner password To change the owner password 1 Click Start click All Programs click HP and then click HP ProtectTools Security Manager 2 In the left pane click Embedded Security and then click Advanced 3 In the right pane under Owner Password click Change 4 Type the old owner password and then set and confirm the new owner password 5 Click OK Resetting a user password An administrator can help a user to reset a forgotten password For more information refer to the software Help Migrating keys with the Migration Wizard Migration is an advanced administrator task that allows the management restoration and transfer of keys and certificates For details on migration refer to the Embedded Security software Help 52 Chapter8 Embedded Security for HP ProtectTools ENWW 9 Device Access Manager for HP ProtectTool
20. sssssssss 49 Enabling the embedded security chip in Computer Setup sssssssssssss 49 Initializing the embedded security chip ssssee me 50 Setting up the basic user account 50 ECuICEcH c4 Em 51 Using the Personal Secure Drive iaceo a Bacci eae via ENER 51 Encrypting files and folders AA 51 Sending and receiving encrypted e mail 51 Advanced tasks eee bim a d Laid e adde a btts a oci een dud een ug esa du E Eg da nun 52 Backing up and restoring sssssssssee enne rennen nennen 52 Creatingia backup flle enema ede etn sua ee errat hause tee pe tii 52 Restoring certification data from the backup file ssssssssss 52 Changing the owner password enne rne en nennen nnns 52 Resetting a user passWOFd eria itus udi Lo eaa ri E eee e TREE Rode aid 52 Migrating keys with the Migration Wizard ssseee mm 52 9 Device Access Manager for HP ProtectTools sseeeeeeeeeeeeeeeneee nennen nnne nna rn in nennen nnne 53 Starting background serviCe dn tdem didi ako deed den ERR RR LL REA RR LA ung o 53 Simple eene UC rior MD 53 Device class configuration advanced sssssssssseeeeenn nennen nnns 54 Adding a user ora group iere e ue eee cr ERRARE ERRARE ERRARE ER eed 54 Removing a user or a group ssssssssssssssseeene enne ee nneennnnenrennen nnne iaaeaie 54 Denying or allowing access to a user or gr
21. such as handling the emergency recovery archive and configuring user access settings Follow the steps in the following 2 sections to enable and initialize the embedded security chip Installing Embedded Security for HP ProtectTools if necessary To install Embedded Security for HP ProtectTools 1 Click Start click All Programs and click Install Embedded Security for HP ProtectTools 2 Accept the UAC warning 3 Click Next then enter User Name amp Organization name if appropriate 4 Click Next click Install and click Finish when complete 5 Select Yes or No for the reboot request Enabling the embedded security chip in Computer Setup The embedded security chip can be enabled in the Quick Initialization Wizard or in the Computer Setup utility as described below ENWW Setup procedures 49 To enable the embedded security chip in Computer Setup 1 Open Computer Setup by turning on or restarting the computer and then pressing F 10 while the F10 ROM Based Setup message is displayed in the lower left corner of the screen If you have not set an administrator password use the arrow keys to select Security select Setup password and then press Enter Type your password in the New password and Verify new password boxes and then press F10 In the Security menu use the arrow keys to select TPM Embedded Security and then press Enter Select Embedded security device state and change to Enable Press F10 to a
22. they are using Embedded Security for HP ProtectTools Embedded Security for HP ProtectTools provides the ability to create a Personal Secure Drive This capability allows the user to create a virtual drive partition on the PC that is completely hidden until accessed Embedded Security could be used anywhere data needs to be secretly protected while the rest of the data is not encrypted Example 1 A Warehouse Manager has a computer that multiple workers access intermittently throughout the day The Manager wants to encrypt and hide confidential warehouse data on the computer He wants the data to be so secure that even if someone steals the hard drive they cannot decrypt the data or read it The Warehouse Manager decides to activate Embedded Security and moves the confidential data to the Personal Secure Drive The Warehouse Manager can enter a password and access the confidential data just like another hard drive When he logs off or reboots the Personal Secure Drive it cannot be seen or opened without the proper password The workers never see the confidential data when they access the computer Embedded Security protects encryption keys within a hardware TPM Trusted Computing Module chip located on the motherboard It is the only encryption tool that meets the minimum requirements to resist password attacks where someone would attempt to guess the decryption password Embedded Security can also encrypt the entire drive and e mail Example 2
23. to Device Access Manager for HP ProtectTools on page 53 Encrypting Drives 17 A HP ProtectTools Security Manager HP ProtectTools Security Manager allows you to significantly increase the security of your computer Through the use of Security Manager applications you can Manage your logon and passwords Easily change your Windows password Set up authentication credentials including a smart card Increase the privacy and security of e mails documents and instant messaging Shred or bleach your hard drive View drive encryptions status View device access settings Activate theft recovery software Back up and restore Security Manager data Logging in after Security Manager is configured Login scenarios vary depending on the levels of security and security login methods chosen by the Windows administrator during configuration Several possible scenarios follow If all levels of security have been configured and all security login methods are required users must log in using all of the configured methods when the computer is first turned on This action logs the user in to Windows If all levels of security have been configured and any of the security login methods is permissible users may log in using any one of the configured security login methods when the computer is first turned on This action logs the user in to Windows If the HP Drive Encryption and the HP Password Manager levels of security have been confi
24. user from both Security Manager and Windows 1 Click Start click All Programs click HP and then click HP ProtectTools Administrative Console 2 Inthe Administrative Console left pane click User Click the user name for the account you want to remove and then click Delete 4 Inthe confirmation dialog box click Yes Checking user status The User section of the Administrative Console shows the current status of each user e Green check mark Indicates that the user has configured the required security login method s e Tilde Indicates that the user has not configured a required security login method and will be locked out of the computer when trying to log in The user must run the setup wizard to configure the required login method s e Blank Indicates that a security login method is not required Specifying device settings Within the Device application you can configure the computer to automatically lock when a smart card is removed However the computer will lock only if the smart card was used as an authentication credential when logging on to Windows 1 Click Start click All Programs click HP and then click HP ProtectTools Administrative Console 2 Inthe Administrative Console left pane expand Devices and then click Smart Card 3 Click the check box to enable or disable locking the computer upon smart card removal Configuring Applications Settings The Settings window includes tools for configu
25. you want to exclude from shredding When you finish configuring the shred profile click Apply Customizing a simple delete profile The simple delete profile performs a standard asset delete without shredding When you customize a simple delete profile you specify which assets to include for a simple delete which assets to confirm before a simple delete is executed and which assets to exclude from a simple delete ENWW Setup procedures 45 E NOTE Itis highly recommended that you run free space bleaching regularly if you use the simple delete option 1 In the Security Manager left pane expand File Sanitizer click Settings select Simple Delete Settings and then click View Details 2 Select the assets you want to delete a Under Available delete options click an asset and then click Add b Toadda custom asset click Add Custom Option enter or browse to a file name or folder name and then click OK Click the custom asset and then click Add amp NOTE To delete an asset from the available delete options click the asset and then click Delete 3 Under Delete the following select the check box next to each asset that you want to confirm before deleting dl Ef NOTE To remove an asset from the delete list click the asset and then click Remove 4 Under Do not delete the following click Add to select the specific assets that you want to exclude from shredding 5 When you finish configurin
26. HP account representative To log in to Customer Center 1 Go to https cc absolute com 2 Inthe Login ID and Password fields type the credentials you received in the confirmation e mail and then click the Log in button Using the Customer Center you can e Monitor your computers e Protect your remote data e Report the theft of any computer protected by Computrace Click Learn More for more details about Computrace for HP ProtectTools 57 Glossary activation The task that must be completed before any of the Drive Encryption features are accessible Drive Encryption is activated using the HP ProtectTools Security Manager Administrative Console setup wizard Only an administrator can activate Drive Encryption The activation process consists of activating the software encrypting the drive creating a user account and creating the initial backup encryption key on a removable storage device administrator See Windows administrator asset A data component consisting of personal information or files historical and Web related data and so on which is located on the hard drive authentication Process of verifying whether a user is authorized to perform a task such as accessing a computer modifying settings for a particular program or viewing secured data automatic shredding Scheduled shredding that the user sets in File Sanitizer for HP ProtectTools Automatic Technology Manager ATM Allows netw
27. ITA for a user or group Administrators can disable a users or group access to devices using just in time authentication 1 In the left pane of HP ProtectTools Administrative Console click Device Access Manager and then click JITA configuration 2 From the devices drop down menu select either removable media or DVD CD ROM drives 3 Select the User whose JITA you wish to disable 4 Click the Enabled check box to clear it 5 Click the Apply button Now when the user logs in and attempts to access the device they will be denied access Advanced Settings The Advanced Setting page provides the following functionality e Management of the Device Administrators group e Management of drive letters to which the Device Access Manager never denies access The Device Administrators group is used to exclude trusted users trusted in terms of device access from the restrictions imposed by a Device Access Manager policy Suitable users are likely to include the system Administrators The Advanced Settings view also enables the Administrator to configure a list of drive letters to which Device Access Manager will not restrict access for any user In order to configure the list of drive letters the Device Access Manager background services need to be running The easiest way to start these services is to apply a Simple Configuration policy such as denying all non Device Administrators access to removable media 56 Chapter9 Device Access Mana
28. Installing a Privacy Manager Certificate sse 33 Viewing Privacy Manager Certificate details sss 33 Renewing a Privacy Manager Certificate sss enne 34 Setting a default Privacy Manager Certificate sssssssseen 34 Deleting a Privacy Manager Certificate sssssssseeeeennnm eene 34 Restoring a Privacy Manager Certificate ssssssse emn 34 Revoking your Privacy Manager Certificate sssssseseen enne 35 Managing Trusted Contacts 2 rtr cr lance ener ern cce dert e en eed ecd dada 35 Adding Trusted Contacts ssssssssssssseeeen mener 35 Adding a Trusted Contact 36 Adding Trusted Contacts using your Microsoft Outlook address DOOK e MH 36 Viewing Trusted Contact details sssssssee em 37 Deleting a Trusted Contact eedem d e ee odd dae p ctc dd 37 Checking revocation status for a Trusted Contact seessssssuss 37 General tas ccm E 37 Using Privacy Manager in Microsoft Office 37 Using Privacy Manager in Microsoft Outlook e 41 Advanced BEE 42 Migrating Privacy Manager Certificates and Trusted Contacts to a different computer 42 Exporting Privacy Manager Certificates and Trusted Contacts 42 Importing Privacy Manager Certificates and Trusted Contacts
29. Password Manager for HP ProtectTools on page 25 o Embedded Security for HP ProtectTools on page 49 o Drive Encryption for HP ProtectTools on page 29 Embedded Security for HP ProtectTools helps strengthen the protection of sensitive user data or credentials stored locally on a PC See the following chapter o Embedded Security for HP ProtectTools on page 49 Password Manager for HP ProtectTools helps ensure that an unauthorized user cannot get passwords or access to password protected applications See the following chapter o Password Manager for HP ProtectTools on page 25 Device Access Manager for HP ProtectTools allows IT managers to restrict access to writeable devices so sensitive information cannot be copied from the hard drive See the following chapter o Device Access Manager for HP ProtectTools on page 53 The Personal Secure Drive feature encrypts sensitive data to help ensure it cannot be accessed without authentication See the following section Embedded Security for HP ProtectTools on page 49 File Sanitizer allows you to securely delete data by shredding critical files and folders or bleaching the hard drive write over data that has been previously deleted but is still present on the hard drive in order to make recovery of the data more difficult See the following chapter File Sanitizer for HP ProtectTools on page 43 Privacy Manager allows you to obtain Certificates of Authority when using Microsoft m
30. Settings and then click the E mail tab On the main Microsoft Outlook toolbar click the down arrow next to Privacy and then click Settings On the toolbar of a Microsoft e mail message click the down arrow next to Send Securely and then click Settings 2 Select the actions you want to perform when you send a secure e mail and then click OK Signing and sending an e mail message 1 In Microsoft Outlook click New or Reply 2 Type your e mail message 3 Click the down arrow next to Send Securely and then click Sign and Send 4 Authenticate using your chosen security logon method Sealing and sending an e mail message Sealed e mail messages that are digitally signed and sealed encrypted can only be viewed by people you choose from your Trusted Contacts list To seal and send an e mail message to a Trusted Contact 1 n Microsoft Outlook click New or Reply 2 Type your e mail message 3 Click the down arrow next to Send Securely and then click Seal for Trusted Contacts and Send 4 Authenticate using your chosen security logon method Viewing a sealed e mail message When you open a sealed e mail message the security label is displayed in the heading of the e mail The security label provides the following information e Which credentials were used to verify the identity of the person who signed the e mail e The product that was used to verify the credentials of the person who signed the e mail Generaltasks 41
31. acy Manager Certificate in order to view a signed Microsoft Office document When a signed Microsoft Office document is opened a Signatures dialog box opens next to the document displaying the name of the user who signed the document and the date it was signed You can right click the name to view additional details Viewing an encrypted Microsoft Office document To view an encrypted Microsoft Office document from another computer Privacy Manager must be installed on that computer In addition you must import the Privacy Manager Certificate that was used to encrypt the file A Trusted Contact wanting to view an encrypted Microsoft Office document must have a Privacy Manager Certificate and Privacy Manager must be installed on his or her computer In addition the Trusted Contact must be selected by the owner of the encrypted Microsoft Office document 40 Chapter6 Privacy Manager for HP ProtectTools ENWW Using Privacy Manager in Microsoft Outlook ENWW When Privacy Manager is installed a Privacy button is displayed on the Microsoft Outlook toolbar and a Send Securely button is displayed on the toolbar of each Microsoft Outlook e mail message NOTE f you are using Microsoft Office 2007 you must have all the Microsoft updates applied otherwise some signed e mails will go into the Junk E mail folder Configuring Privacy Manager for Microsoft Outlook 1 In the Security Manager left pane expand Privacy Manager and click
32. ail Office documents and Instant Messenger making the process of sending and saving important information safe and secure See the following chapter o Privacy Manager for HP ProtectTools on page 32 Creating strong password policies If a mandate goes into effect that requires the use of strong password policy for dozens of Web based applications and databases Password Manager for HP ProtectTools provides a protected repository for passwords and Single Sign On convenience See the following chapter Chapter 1 Password Manager for HP ProtectTools on page 25 Introduction to security ENWW Additional security elements Assigning security roles E NOTE In managing computer security one important practice is to divide responsibilities and rights among various types of administrators and users In a small organization or for individual use these roles may all be held by the same person For HP ProtectTools the security duties and privileges can be divided into the following roles e Security officer Defines the security level for the company or network and determines the security features to deploy such as Drive Encryption or Embedded Security e l Tadministrator Applies and manages the security features defined by the security officer Can also enable and disable some features For example if the security officer has decided to deploy Smart Cards the IT administrator can enable both password and Smart Card mod
33. an advanced security shred profile When you create a shred profile you specify the number of shred cycles which assets to include for shredding which assets to confirm before shredding and which assets to exclude from shredding 1 6 In the Security Manager left pane expand File Sanitizer click Settings select Advanced Security Settings and then click View Details Specify the number of shred cycles NOTE The selected number of shredding cycles will be performed for each asset For example if you choose 3 shred cycles an algorithm that obscures the data is executed 3 different times If you choose the higher security shred cycles shredding may take a significant length of time however the higher the number of shred cycles you specify the more secure the computer is Select the assets you want to shred a Under Available shred options click an asset and then click Add b To add a custom asset click Add Custom Option enter or browse to a file name or folder name and then click OK Click the custom asset and then click Add E NOTE To delete an asset from the available shred options click the asset and then click Delete Under Shred the following select the check box next to each asset that you want to confirm before shredding NOTE To remove an asset from the shred list click the asset and then click Remove Under Do not shred the following click Add to select the specific assets that
34. anager for HP ProtectTools adding a signature line when signing a Microsoft Word or Microsoft Excel document 38 adding a suggested signer s signature line 39 adding a trusted contact 36 Adding suggested signers to a Microsoft Word or Microsoft Excel document 38 adding trusted contacts 35 adding trusted contacts using Microsoft Outlook address book 36 checking revocation status for a trusted contact 37 common use examples 5 configuring Privacy Manager for Microsoft Outlook 41 configuring Privacy Manager in a Microsoft Office document 38 deleting a Privacy Manager certificate 34 deleting a trusted contact 37 encrypting a Microsoft Office document 39 exporting Privacy Manager Certificates and Trusted Contacts 42 importing Privacy Manager Certificates and Trusted Contacts 42 installing a Privacy Manager certificate 33 managing Privacy Manager certificates 32 managing trusted contacts 35 migrating Privacy Manager Certificates and Trusted Contacts to a different computer 42 opening 32 removing the encryption from a Microsoft Office document 40 renewing a Privacy Manager certificate 34 requesting a Privacy Manager certificate 33 restoring a Privacy Manager certificate 34 revoking a Privacy Manager certificate 35 sealing and sending an e mail message 41 sending an encrypted Microsoft Office document 40 setting a default Privacy Manager certificate 34 setup procedures 32 signing a Microsoft Office docume
35. avigate to the logon screen and log you in automatically To verify your identity you will use your HP ProtectTools credentials such as your Windows password or smart card depending on your computer configuration This means that you will use the same credentials to log on to all logon screens you have set up You can therefore create stronger passwords that you don t have to write down or remember and keep your accounts more secure Password Manager lets you see at a glance whether any of your passwords are a security risk and can automatically generate a strong complex password to use for new sites With Password Manager you can also view your logons including your passwords and edit them at any time Many Password Manager features are also available from the Password Manager icon that displays whenever the focus is on the logon screen of a program that has been set up or on any website logon screen Clicking on the icon displays a context menu where you can choose from among the following options For web pages or programs where a logon has not yet been created The following options are shown on the context menu e Add somedomain com to the Password Manager Use to add a logon for the current logon screen e Open Password Manager Launches Security Manager on the Password Manager page e Password Manager Icon settings Allows you to specify conditions under which the Password Manager Icon displays e Help Displays online he
36. ccept the changes to the Embedded Security configuration To save your preferences and exit Computer Setup use the arrow keys to select File and click Save Changes and Exit Then follow the on screen instructions Initializing the embedded security chip In the initialization process for Embedded Security you will perform the following tasks Set an owner password for the embedded security chip that protects access to all owner functions on the embedded security chip Set up the emergency recovery archive which is a protected storage area that allows reencryption of the Basic User Keys for all users To initialize the embedded security chip 1 2 Right click the HP ProtectTools Security Manager icon in the notification area at the far right of the taskbar and then select Embedded Security Initialization The HP ProtectTools Embedded Security Initialization Wizard opens Follow the on screen instructions Setting up the basic user account Setting up a basic user account in Embedded Security accomplishes the following tasks Produces a Basic User Key that protects encrypted information and sets a Basic User Key password to protect the Basic User Key Sets up a personal secure drive PSD for storing encrypted files and folders A CAUTION Safeguard the Basic User Key password Encrypted information cannot be accessed or recovered without this password To set up a basic user account and enable the user securi
37. ccess any data on their local computer without sharing their personal passwords The IT department adds the Administrator doctors and all authorized personnel as Drive Encryption users Now only authorized personnel can boot to the computer or Domain using their personal username and password File Sanitizer for HP ProtectTools File Sanitizer for HP ProtectTools is used to permanently delete data including Internet browser activity temporary files previously deleted data or any other information File Sanitizer can be configured to run either manually or automatically on a user defined schedule Example 1 An Attorney often deals with sensitive client information and wants to ensure data on deleted files cannot be recovered The Attorney uses File Sanitizer to Shred deleted files so it is almost impossible to recover Normally when Windows deletes data it actually does not erase the data from the hard drive Instead it marks the hard drive sectors as available for future use Until the data is written over it can be easily recovered using common tools available on the Internet File Sanitizer overwrites the sectors with random data multiple times when necessary thereby making the deleted data unreadable and unrecoverable Example 2 A Researcher wants to shred deleted data temporary files browser activity etc automatically when she logs off She uses File Sanitizer to schedule Shredding so she can select the common files
38. cess Manager to enable access for some employees while blocking external access to others Privacy Manager for HP ProtectTools Privacy Manager for HP ProtectTools is used when Internet e mail communications need to be secured The user can create and send e mail that can only be opened by an authenticated recipient With Privacy Manger the information cannot be compromised or intercepted by an imposter ENWW HP ProtectTools security products description and common use examples 5 6 Example 1 A Stock Broker wants to make sure his e mails only go to specific clients and ensure no one can fake the e mail account and intercept it The Stock Broker signs himself and his clients up with Privacy Manager Privacy Manager issues them a Certificate of Authentication CA to each user Using this tool the Stock Broker and his clients must authenticate before the e mail is exchanged Privacy Manager for HP ProtectTools makes it easy to send and receive e mail where the recipient has been verified and authenticated The mail service can also be encrypted The encryption process is similar to the one used during general credit card purchases on the Internet Example 2 A CEO wants to insure that only the members of the board of directors can view the information he sends through e mail The CEO uses the option to encrypt the e mail sent and received from the directors Privacy Manager Certificate of Authentication allows the CEO and directors to have a cop
39. curity setup and configures options or requirements for all users HP ProtectTools Security Manager for general users e Allows users to configure options provided by an administrator e Canrestrict access and only allow a user limited controls of some HP ProtectTools modules NOTE Password Manager Smart Card Security Face Recognition some models and Drive Encryption are configured using the Security Manager setup wizard HP Professional Desktop systems do not currently support fingerprint devices HP ProtectTools software modules may be preinstalled preloaded or available as a configurable option or as an after market option Visit http www hp com for more information NOTE The instructions in this guide are written with the assumption that you have already installed the applicable HP ProtectTools software modules 2 HP ProtectTools features The following table details the key features of HP ProtectTools modules Module HP ProtectTools Security Manager Administrative Console Key features The Security Manager setup wizard is used by administrators to set up and configure levels of security and security logon methods Configure options hidden from basic users Activate Drive Encryption and configure user access Configure Device Access Manager configurations and user access Administrator tools are used to add and remove HP ProtectTools users and view user status HP ProtectTools Sec
40. ds on the screen and their corresponding fields on the dialog are identified with a bold orange border Enter the Windows password and click the green arrow Password Manager for HP ProtectTools ENWW 4 Edit your logon information e Click the arrows to the right of a logon field to populate it with one of several preformatted choices e Optionally click Choose other fields to add additional fields from the screen to your logon e Deselect Submit account data if you want the logon fields filled in but do not want them submitted e f you want to view the password for this logon click Show password The Windows password is required to see the password 5 Click OK Using the Logons menu Password Manager provides a fast easy way to launch the websites and programs that you have created logons for Simply double clicking a program or website logon from the Logons menu or on the Manage tab in Password Manager will launch its logon screen and fill in your logon data By default the information is also immediately submitted to the website although you can choose not to do so by deselecting Submit account data when initially setting up or editing the logon When you create a logon it is automatically added to your Password Manager Logons menu To display the Logons menu press the Password Manager Hot Key combination Ctrl Win H is the default but you can change the Hot Key combination from Password Manager Windows password
41. e 3 On the Select Data page select the data categories to be included in the migration file and then click Next 4 On the Migration File page enter a file name or click Browse to search for a location and then click Next 5 Onthe Migration File Import page click Finish 42 Chapter6 Privacy Manager for HP ProtectTools ENWW File Sanitizer for HP ProtectTools File Sanitizer is a tool that allows you to securely erase critical files and folders personal information or files historical or Web related data or other data components on your computer and periodically bleach your hard drive NOTE File Sanitizer currently operates only on the hard drive About shredding Deleting an asset in Windows does not completely remove the contents of the asset from your hard drive Windows only deletes the reference to the asset The content of the asset still remains on the hard drive until another asset overwrites that same area on the hard drive with new information Shredding is different than a standard Windows delete also known as a simple delete in File Sanitizer in that when you shred an asset an algorithm that obscures the data is invoked which makes it virtually impossible to retrieve the original asset When you choose a shred profile High Security Medium Security or Low Security a predefined list of assets and an erase method are automatically selected for shredding You can also customize a shred
42. e e User Uses the security features For example if the security officer and IT administrator have enabled Smart Cards for the system the user can use the card for authentication Managing HP ProtectTools passwords ENWW Most of the HP ProtectTools Security Manager features are secured by passwords The following table lists the commonly used passwords the software module where the password is set and the password function The passwords that are set and used by IT administrators only are indicated in this table as well All other passwords may be set by regular users or administrators HP ProtectTools password Set in this HP ProtectTools module Password Manager logon Password Manager password Basic User Key password Embedded Security NOTE Also known as Embedded Security password Emergency Recovery Token Embedded Security by IT password administrator NOTE Also known as Emergency Recovery Token Key password Owner password Embedded Security by IT administrator Function This password offers 2 options e It can be used in a separate logon to access Password Manager after logging on to Windows e It can be used in place of the Windows logon process allowing access to Windows and Password Manager simultaneously Used to access Embedded Security features such as secure e mail file and folder encryption When used for power on authentication also protects access to the computer contents whe
43. e and then click Apply Restoring a Privacy Manager Certificate 34 If you have accidentally deleted a Privacy Manager Certificate you can restore it using the backup file that you created when you installed or exported the certificate 1 2 Chapter In the Security Manager left pane expand Privacy Manager and click Migration Click the Restore button 6 Privacy Manager for HP ProtectTools ENWW 3 On the Migration File page click Browse to search for the dppsm file that you created when you installed or exported the Privacy Manager Certificate and then click Next 4 On the Migration File Import page click Finish 5 Click Close and then click Apply E NOTE Refer to Installing a Privacy Manager Certificate or Exporting Privacy Manager Certificates and Trusted Contacts for more information Revoking your Privacy Manager Certificate If you feel that the security of your Privacy Manager Certificate has been jeopardized you may revoke your own certificate Er NOTE A revoked Privacy Manager Certificate is not deleted The certificate can still be used to view files that are encrypted In the Security Manager left pane expand Privacy Manager and click Certificate Manager Click Advanced Click the Privacy Manager Certificate you want to revoke and then click Revoke 1 2 3 4 When the confirmation dialog box opens click Yes 5 Authenticate using your chosen security logon method 6 Follow th
44. e e mail address must be 32 Chapter6 Privacy Manager for HP ProtectTools ENWW set up as an account within Microsoft Outlook on the same computer from which you are requesting the Privacy Manager Certificate Requesting a Privacy Manager Certificate 1 2 3 4 5 p In the Security Manager left pane expand Privacy Manager and click Certificates Click the Request a Privacy Manager certificate button On the Welcome page read the text and then click Next On the License Agreement page read the license agreement Be sure that the check box next to Check here to accept the terms of this license agreement is selected and then click Next On the Your Certificate Details page enter the required information and then click Next On the Certificate Request Accepted page click Finish You will receive an e mail in Microsoft Outlook with your Privacy Manager Certificate attached Installing a Privacy Manager Certificate 1 When you receive the e mail with your Privacy Manager Certificate attached open the e mail and click the Setup button in the lower right corner of the message Authenticate using your chosen security logon method On the Certificate Installed page click Next On the Certificate Backup page enter a location and name for the backup file or click Browse to search for a location CAUTION Be sure that you save the file to a location other than your hard drive a
45. e on screen instructions Managing Trusted Contacts Trusted Contacts are users with whom you have exchanged Privacy Manager Certificates enabling you to securely communicate with one another Adding Trusted Contacts 1 You send an e mail invitation to a Trusted Contact recipient 2 The Trusted Contact recipient responds to the e mail 3 You receive the e mail response from the Trusted Contact recipient and click Accept You can send Trusted Contact e mail invitations to individual recipients or you can send the invitation to all the contacts in your Microsoft Outlook address book Er NOTE To respond to your invitation to become a Trusted Contact Trusted Contact recipients must have Privacy Manager installed on their computers or have the alternate client installed For information on installing the alternate client access the DigitalPersona website at http DigitalPersona com PrivacyManager ENWW Setup procedures 35 Adding a Trusted Contact 1 9 In the Security Manager left pane expand Privacy Manager and click Trusted Contacts and then click the Invite Contacts button In Microsoft Outlook click the down arrow next to Send Securely on the toolbar and then click Invite Contacts If the Select Certificate dialog box opens click the Privacy Manager Certificate you want to use and then click OK When the Trusted Contact Invitation dialog box opens read the text and then click OK An e mail is automatically
46. ed initiates an automatic shred for example Ctrl Alt S manual shred Immediate shredding of an asset or selected assets which bypasses the automatic shred schedule migration A task that allows the management restoration and transfer of Privacy Manager Certificates and Trusted Contacts network account Windows user or administrator account either on a local computer in a workgroup or on a domain personal secure drive PSD Provides a protected storage area for sensitive information power on authentication Security feature that requires a password when the computer is turned on Privacy Manager certificate A digital certificate that requires authentication each time you use it for cryptographic operations such as signing and encrypting e mail messages and Microsoft Office documents Public Key Infrastructure PKI Standard that defines the interfaces for creating using and administering certificates and cryptographic keys reboot Process of restarting the computer reveal ENWW Glossary 59 A task that allows the user to decrypt one or more chat history sessions displaying the Contact Screen Name s in plain text and making the session available for viewing revocation password A password that is created when a user requests a digital certificate The password is required when the user wants to revoke his or her digital certificate This ensures that only the user may revoke the certificate seal for tr
47. eeeeaaeeeeeeseeeeaaeeeeeeeeeeiaeeeeeeneeenaaes 19 Setting up a Smart Card ooo eee ee ieee e eee eter eee raae eee eeenaeeeeeeeeenaeeeeeeneenaaees 19 Initializing the Smart Cand WEE 20 Registering the Smart Card iiis i Eesti ea dig E Fun Peppe Y uva o ER a Ro MERE xo ER ea du gna 20 Managing communication privacy ssssesssseenenenn enne enne nme nennen nennen nennen 20 shredding or bleaching files eite etiarn ek baden naL d s MUERE nce 21 Viewing drive ne ett 21 Viewing device access eene nemenen ennemis iden nnne si enne ner se nennen rsen rennen nnn 21 Activating theft reCoVely EE 21 Lee Titele e7z o 2 Er 22 Setting preferentes cm 22 Backup and Restore onte no ne ea rer ere ee ege s ENEE Pea Due e eaa estan Fee ENEE 22 Backing up your dala ET 22 Restoring your data eee eect tenner erie ene tere AAAA NANENANE NAKKEN EARNAN nennen rrr nennen 23 Changing your Windows user name and picture ssssssessseene emen 24 4 Password Manager for HP ProtectTools cseccceceeeseeeeeeeeeeeseeeeseeeeesseeeeseeesessaeesaeeeesseaaesaeesessecanseesesseanes 25 Adding Togon S S23 ascetics ET 26 Editing tee Le EE 26 Using the Logons menu 27 Organizing logons into categories 00 eee ee eect e reece eee eeeeeeae eee en nennen nennen nnns 27 Managing YOur IOGOMS EE 28 Assessing your password strength sssssssssssseeeeeenee eene nnn nenne
48. en the web site you want to edit e Add a logon Click Add Logon and follow the on screen instructions e Edita logon Select a logon and click Edit Then change the logon data as desired e Delete a logon Select a logon and click Delete To add an additional logon for a website or program 1 Launch the logon screen for the website or program 2 Click the Password Manager icon to display its shortcut menu 3 Select Add additional logon and follow the on screen instructions Assessing your password strength Using strong passwords for logon to your websites and programs is an important aspect of protecting your identity Password Manager makes monitoring and improving your security easy with instant and automated analysis of the strength of each of the passwords used to log on to your to websites and programs You can check the strength of the passwords you use for your logons on the Password Manager Password Strength tab Password Manager Icon settings Password Manager attempts to identify logon screens for websites and programs When it finds a logon screen that you have not created a logon for Password Manager will prompt you to add a logon for the screen by displaying the Password Manager icon with a sign The following settings are configurable e Always prompt Select this option to have Password Manager prompt you to add a logon whenever a logon screen displays that does not already have a logon set up for it e
49. equence to initiate shredding 46 using the File Sanitizer icon 46 viewing log files 48 G Getting started administrators 13 H HP ProtectTools features 2 HP ProtectTools Security Manager adding applications 22 backup and restore 22 ENWW changing Windows user name 24 changing your picture 24 device access 21 drive encryption status 21 logging in 18 managing communication privacy 20 managing passwords 19 preferences 22 setting credentials 19 shredding or bleaching files 21 theft recovery 21 HP ProtectTools Security Manager Administrative Console configuring application settings 16 configuring your system 13 disallowing device access 17 drive encryption 17 managing users 15 HP ProtectTools Security accessing 6 l initial setup 13 initializing embedded security chip 50 J just in time authentication JITA 54 K key security objectives 6 L loggingin 18 O objectives security 6 owner password changing 52 definition 9 setting 50 P password changing owner 52 emergency recovery token 50 ENWW guidelines 10 HP ProtectTools 9 managing 9 owner 50 policies creating 8 resetting user 52 secure creating 10 Password Manager for HP ProtectTools adding logons 26 common use examples 3 editing logons 26 icon settings 28 logon categories 27 logon password 9 managing logons 28 password strength 28 using logons menu 27 personal secure drive PSD 51 power on password definition 10 Privacy M
50. eys A CAUTION Be sure to keep the storage device containing the backup key in a safe place because if you forget your password or lose your Smart Card this device provides your only access to your hard drive 1 In the Administrative Console left pane expand Drive Encryption and click Backup and Recovery 2 Click the Backup Keys button 3 Onthe Select Backup Disk page click the name of the device where you want to back up your encryption key and then click Next 4 Read the information on the next page that is displayed and then click Next The encryption key is saved on the storage device you selected 5 Click OK when the confirmation dialog box opens E NOTE Refer to the Drive Encryption for HP ProtectTools Help file for information on managing and performing a recovery ENWW Advanced tasks 31 6 Privacy Manager for HP ProtectTools Privacy Manager is a tool used to obtain Certificates of Authority which verify the source integrity and security of communication when using Microsoft mail Microsoft Office documents and Instant Messenger Privacy Manager leverages the security infrastructure provided by HP ProtectTools Security Manager which includes the following security logon methods e Windows password e Smart card You may use any of the above security logon methods in Privacy Manager Opening Privacy Manager To open Privacy Manager 1 Click Start click All Programs click HP and then c
51. from the backup file Backing up your data When you back up your data you are saving your logons and credential information to an encrypted file protected by a password that you enter To back up your data 1 Click Start click All Programs click HP and then click HP ProtectTools Security Manager 2 Inthe Security Manager left pane click Advanced and then click Backup and Restore 3 Click Back up data 4 Select the modules that you want to include in the backup In most cases you will want to select them all Click Next 22 Chapter 3 HP ProtectTools Security Manager ENWW if 8 Enter your password to verify your identity then click the arrow button Enter a path and name for the storage file By default the file will be saved to your Documents folder Click Browse to specify a different location Click Next Enter and confirm a password to protect the file Click Finish Restoring your data ENWW You restore your data from a password protected encrypted file that was previously created through Security Manager s Backup and Restore feature To restore your data 1 2 3 4 5 6 Click Start click All Programs click HP and then click HP ProtectTools Security Manager In the Security Manager left pane click Advanced and then click Backup and Restore Click Restore data Enter the path and name for the storage file or click Browse and select the file Enter the password used to protect the file and c
52. g Drive Encryption Use the HP ProtectTools Administrative Console Setup Wizard to activate Drive Encryption Deactivating Drive Encryption Use the HP ProtectTools Administrative Console Setup Wizard to deactivate Drive Encryption Logging in after Drive Encryption is activated When you turn on the computer after Drive Encryption is activated and your user account is enrolled you must log in at the Drive Encryption logon screen E NOTE Ifthe Windows administrator has enabled Pre boot Security in the HP ProtectTools Administrative Console you will log in to the computer immediately after the computer is turned on rather than at the Drive Encryption logon screen 1 Select your user name and then type your Windows password or Smart Card PIN 2 Click OK Ef NOTE If you use a recovery key to log in at the Drive Encryption logon screen you will also be prompted to select your Windows user name and type your password at the Windows logon screen Advanced tasks Managing Drive Encryption administrator task The Drive Encryption window allows Windows administrators to view and change the status of Drive Encryption active or inactive and to view the encryption status of all of the hard drives on the computer Activating a TPM protected password Use Embedded Security for HP ProtectTools to activate the TPM After activation logging in at the Drive Encryption logon screen requires the Windows user name and password
53. g in with a Smart Card at the Drive Encryption logon screen requires that you insert the Smart Card and type your user name and Smart Card PIN suggested signer A user who is designated by the owner of a Microsoft Word or Microsoft Excel document to add a signature line to the document Trusted Contact invitation An e mail that is sent to a person asking them to become a Trusted Contact Trusted Contact list A listing of Trusted Contacts Trusted Contact recipient A person who receives an invitation to become a Trusted Contact Trusted Contact A person who has accepted a Trusted Contact invitation trusted IM communication 60 Glossary ENWW A communication session during which trusted messages are sent from a trusted sender to a Trusted Contact trusted message A communication session during which trusted messages are sent from a trusted sender to a Trusted Contact Trusted Platform Module TPM embedded security chip The generic term for the HP ProtectTools Embedded Security Chip A TPM authenticates a computer rather than a user by storing information specific to the host system such as encryption keys digital certificates and passwords A TPM minimizes the risk that information on the computer will be compromised by physical theft or an attack by an external hacker trusted sender A Trusted Contact who sends signed and or encrypted e mails and Microsoft Office documents TXT Trusted Execution Technology Ha
54. g the simple delete profile click Apply General tasks Using a key sequence to initiate shredding To specify a key sequence follow these steps 1 n the Security Manager left pane expand File Sanitizer and click Shred 2 Select the Key sequence check box 3 Enter a character in the available box and then select the CTRL ALT or SHIFT box or select all three For example to initiate automatic shredding using the S key and Ctrl Shift enter S in the box and then select the CTRL and SHIFT options E NOTE Be sure to select a key sequence that is different from other key sequences you have configured To initiate shredding using a key sequence 1 Hold down the Ctrl Alt or Shift key or whichever combination you specified while pressing your chosen character 2 Ifa confirmation dialog box opens click Yes Using the File Sanitizer icon A CAUTION Shredded assets cannot be recovered Carefully consider which items you select for manual shredding 1 Navigate to the document or folder you want to shred 2 Drag the asset to the File Sanitizer icon on the desktop 3 When the confirmation dialog box opens click Yes 46 Chapter 7 File Sanitizer for HP ProtectTools ENWW Manually shredding one asset A CAUTION Shredded assets cannot be recovered Carefully consider which items you select for manual shredding 1 Right click the HP ProtectTools icon in the notification area at the far right of the tas
55. ger for HP ProtectTools ENWW 10 ENWW Computrace for HP ProtectTools Computrace for HP ProtectTools is a tool that can remotely monitor manage and track your computer Once activated Computrace for HP ProtectTools is configured from the Absolute Software Customer Center From the Customer Center the administrator can configure Computrace for HP ProtectTools to monitor or manage the computer If the system is misplaced or stolen the Customer Center can assist local authorities to locate and recover the computer If configured Computrace can continue to function even if the hard drive is erased or replaced To activate Computrace for HP ProtectTools 1 Connect to the Internet 2 Click Start click All Programs click HP and then click HP ProtectTools Security Manager 3 In the Security Manager left pane click Theft Recovery 4 Tolaunch the Computrace Activation Wizard click the Activate Now button 5 Enter your contact information along with your credit card payment information or enter a pre purchased Product Key The Activation Wizard securely processes the transaction and sets up your user account on the Absolute Software Customer Center website Once complete you receive a confirmation e mail containing your Customer Center account information If you have previously run the Computrace Activation Wizard and your Customer Center user account already exists you can purchase additional licenses by contacting your
56. gured and all security login methods are required users must log in using all of the configured methods when the HP Drive Encryption login screen opens This action logs the user in to Windows If the HP Drive Encryption and the HP Password Manager levels of security have been configured and any of the configured security login methods is permissible users may log in using any one of the security login methods when the HP Drive Encryption login screen opens This action logs the user in to Windows If the HP Password Manager level of security has been configured and all of the security login methods are required users must log in using all of the configured methods when the Password Manager login screen opens This action logs the user in to Windows If the HP Password Manager level of security option has been configured and any of the configured security login methods is permissible users may log in using any one of the security login methods when the Password Manager login screen opens This action logs the user in to Windows 18 Chapter 3 HP ProtectTools Security Manager ENWW Er NOTE Ifthe HP Password Manager level of security has not been configured users must still enter their Windows password at the Windows login screen regardless of the security login methods that are required by other levels of security Managing passwords Password Manager for HP ProtectTools creates and manages logons which allow you to launch and log o
57. guring your system ENWW The System group of applications is accessed from the Tools menu on the left side of the Administrative Console By using the applications included in this group you can configure and manage the policies and settings for this computer its users and devices The following applications are included in the System group e Security Manage security features authentication policies and other settings that govern how users authenticate when logging on to the computer or HP ProtectTools applications e Users Set up manage and enroll users of this computer e Devices Manage settings for security devices built in or connected to the computer Getting Started Setup Wizard 13 Enabling security features The security features enabled here apply to all users of this computer 1 2 3 4 In the left pane of the Administrative Console expand Security and click on Features To enable a security feature click the corresponding check box next to Windows Logon Security and or Protect data activates Drive Encryption e Windows Logon Security protects your Windows account s by requiring the use of specific credentials for access e Protect data protects your data by encrypting your hard drive s using Drive Encryption for HP ProtectTools making the information unreadable by those without proper authorization Click the Next button Click the Finish button Defining Security Manager authen
58. he Windows Recycle Bin or for manually deleted assets Free space bleaching provides no additional security to shredded assets To set a free space bleaching schedule 1 n the Security Manager left pane expand File Sanitizer and click Bleaching 2 Select the Activate Scheduler check box enter your Windows password and then enter a day and time to bleach your hard drive 3 Click the Save icon E NOTE The free space bleaching operation can take a long time Even though free space bleaching is performed in the background your computer may run slower due to increased processor usage Setting a shred schedule 1 In the Security Manager left pane expand File Sanitizer and click Shred 2 Select a shred option e Windows shutdown Choose this option to shred all selected assets when Windows shuts down Er NOTE When this option is selected a dialog box is displayed at shutdown asking if you want to continue with shredding the selected assets or if you want to bypass the procedure Click Yes to bypass the shred procedure or click No to continue with shredding The Yes or No option must be selected quickly because Windows will close the software in preparation for shutting down and produce an error If you select No in order to continue shredding Windows may produce an error screen indicating that File Sanitizer is not responding Allow File Sanitizer to complete the shred then initiate the shutdown again e Web b
59. he smart card is selected 5 Type in your PIN number click the Apply button then follow the onscreen instructions 6 After the Smart Card has been successfully initialized proceed to register the Smart Card Registering the Smart Card After initializing the Smart Card administrators can register the card as an authentication method in the Administrative Console or users can register it in Security Manager To register the Smart Card in the Administrative Console 1 In the Administrative Console click the Setup Wizard in the lower left corner 2 Inthe Welcome screen click Next and enter your Windows password 3 Inthe SpareKey window click Skip SpareKey Setup unless you want to update the SpareKey information 4 Inthe Enable security features window click Next 5 In the Choose your credential window ensure that Smart card is selected and click Next 6 Inthe Smart card window enter your PIN number and click Next 7 Click Finish To register the Smart Card in Security Manager 1 Click Start click All Programs click HP and then click HP ProtectTools Security Manager 2 n Security Manager expand Credentials and click Smart Card 3 Enter your Windows password and PIN number then click Save Managing communication privacy Privacy Manager for HP ProtectTools enables you to use advanced security login authentication methods to verify the source integrity and security of communication when using e mail Micros
60. ind Now to search for users or groups to add Click a user or a group to be added to the list of available users and groups and then click OK Click OK es i S c5 AM Removing a user or a group 1 Click Start click All Programs click HP and then click HP ProtectTools Administrative Console 2 Inthe left pane expand Device Access Manager and then click Device Class Configuration 3 In the device list click the device class that you want to configure 4 Click the user or group you want to remove and then click Remove Denying or allowing access to a user or group 1 Click Start click All Programs click HP and then click HP ProtectTools Administrative Console In the left pane expand Device Access Manager and then click Device Class Configuration In the device list click the device class that you want to configure Under User Groups click the user or group to be denied access Click Deny next to the user or group to be denied access Click the Save icon and then click OK mw o e A Just In Time Authentication JITA Configuration The JITA Configuration page allows the administrator to view and modify lists of users and groups that are allowed to access devices using just in time authentication JITA JITA enabled users will be able to access some devices which policies created on the Device Class Configuration or Simple Configurations view have restricted 54 Chapter9 Device Access Manager for HP ProtectTo
61. kbar highlight File Sanitizer and then click Shred One 2 When the Browse dialog box opens navigate to the asset you want to shred and then click Open 229 E NOTE The asset you select can be a single file or folder 3 When the confirmation dialog box opens click Yes or 1 Right click the File Sanitizer icon on the desktop and then click Shred One 2 When the Browse dialog box opens navigate to the asset you want to shred and then click OK 3 When the confirmation dialog box opens click Yes or 1 In the Security Manager left pane expand File Sanitizer and click Shred 2 Click the Browse button 3 When the Browse dialog box opens navigate to the asset you want to shred and then click Open 4 When the confirmation dialog box opens click Yes Manually shredding all selected items 1 Right click the HP ProtectTools icon in the notification area at the far right of the taskbar highlight File Sanitizer and then click Shred Now 2 When the confirmation dialog box opens click Yes 1 Right click the File Sanitizer icon on the desktop and then click Shred Now 2 When the confirmation dialog box opens click Yes Manually activating free space bleaching 1 Right click the HP ProtectTools icon in the notification area at the far right of the taskbar highlight File Sanitizer and then click Bleach Now 2 A notification bubble will appear verifying that a bleach operation has begun or
62. lick HP ProtectTools Administrative Console E NOTE After you have configured the Password Manager module you can also open HP ProtectTools by logging on to Password Manager directly from the Windows logon screen Achieving key security objectives The HP ProtectTools modules can work together to provide solutions for a variety of security issues including the following key security objectives e Protecting against targeted theft e Restricting access to sensitive data e Preventing unauthorized access from internal or external locations Chapter 1 Introduction to security ENWW Creating strong password policies Addressing regulatory security mandates Protecting against targeted theft An example of this type of incident would be the targeted theft of a computer or its confidential data and customer information This can easily occur in open office environments or in unsecured areas The following features help protect the data if the computer is stolen The pre boot authentication feature if enabled helps prevent access to the operating system See the following chapters Password Manager for HP ProtectTools on page 25 Embedded Security for HP ProtectTools on page 49 Drive Encryption for HP ProtectTools on page 29 DriveLock helps ensure that data cannot be accessed even if the hard drive is removed and installed into an unsecured system The Personal Secure Drive feature provided by the Embedded
63. lick HP ProtectTools Security Manager 2 Inthe Security Manager left pane click Privacy Manager or Right click the HP ProtectTools icon in the notification area at the far right of the taskbar highlight Privacy Manager for HP ProtectTools and then click Configuration On the toolbar of a Microsoft Outlook e mail message click the down arrow next to Send Securely and then click Certificate Manager or Trusted Contact Manager On the toolbar of a Microsoft Office document click the down arrow next to Sign and Encrypt and then click Certificate Manager or Trusted Contact Manager Setup procedures Managing Privacy Manager Certificates Manager Certificates protect data and messages using a cryptographic technology called public key infrastructure PKI PKI requires users to obtain cryptographic keys and a Privacy Manager Certificate issued by a certificate authority CA Unlike most data encryption and authentication software that only requires you to authenticate periodically Privacy Manager requires authentication each time you sign an e mail message or a Microsoft Office document using a cryptographic key Privacy Manager makes the process of saving and sending your important information safe and Secure Requesting and installing a Privacy Manager Certificate Before you can use the Privacy Manager features you must request and install a Privacy Manager Certificate from within Privacy Manager using a valid e mail address Th
64. lick Next Select the modules whose data you want to restore In most cases this would be all of the modules listed Click Next Click Finish Backup and Restore 23 Changing your Windows user name and picture Your Windows user name and a picture are displayed in the upper left corner of Security Manager To change your user name and or picture 1 Click on the upper left section of Security Manager with your user name and picture 2 To change your user name type a name in the Windows user name box 3 To change your picture click the Choose Picture button and browse to select a picture 4 Click the Save button to save your changes 24 Chapter 3 HP ProtectTools Security Manager ENWW ENWW Password Manager for HP ProtectTools Logging on to Windows websites and programs is easier and more secure when you use Password Manager Password Manager allows you to set up the logon screens of websites and programs for quick and secure access First Password Manager learns about your logons and the specific data that you type in the input boxes of each logon screen Then once you are at a logon screen after verifying your identity Password Manager fills in and submits the data automatically For even faster access you can display a menu of your logons by simply using a configurable Hot key combination Ctrl Alt H is the default On the menu simply select a logon and Password Manager will launch the website or program n
65. lick Trusted Contacts Manager 2 Click a Trusted Contact 3 Click the Advanced button The Advanced Trusted Contact Management dialog box opens 4 Click Check Revocation Click Close General tasks Using Privacy Manager in Microsoft Office After you install your Privacy Manager Certificate a Sign and Encrypt button is displayed on the right side of the toolbar of all Microsoft Office 2007 Word Excel and PowerPoint documents Er NOTE f you are using Microsoft Office 2007 you must have all the Microsoft updates applied otherwise some signed e mails will go into the Junk E mail folder ENWW General tasks 37 Configuring Privacy Manager in a Microsoft Office document 1 Right click the HP ProtectTools icon in the notification area at the far right of the taskbar highlight File Sanitizer and then click Shred Now 2 When the confirmation dialog box opens click Yes 1 In the Security Manager left pane expand Privacy Manager and click Settings and then click the Documents tab On the toolbar of a Microsoft Office document click the down arrow next to Sign and Encrypt and then click Settings 2 Select the actions you want to configure and then click OK Signing a Microsoft Office document 1 n Microsoft Word Microsoft Excel or Microsoft PowerPoint create and save a document 2 Click the down arrow next to Sign and Encrypt and then click Sign Document 3 Authenticate using your chosen security logo
66. lp for the Password Manager application For web pages or programs where a logon has already been created The following options are shown on the context menu e Fil in logon data places your logon data in the logon fields and then submits the page if submission was specified when the logon was created or last edited e Editlogon Allows you to edit your logon data for this website e X Add logon Use to add another logon for the same website or program 25 Open Password Manager Launches the Security Manager dashboard on the Password Manager page Help Displays online help for the Password Manager application Er NOTE The administrator of the computer may have set up Security Manager to require more than one credential when verifying your identity Adding logons Adding a logon for a website or program is quick and simple You enter the logon information for the site or program once and from then on Password Manager automatically enters the information for you You can use these logons after browsing to the website or program or simply select a logon from the Logons menu to have Password Manager open the website or program and log you on 26 To add a logon 1 P3 5 Open the logon screen for a website or program Click the arrow on the Password Manager icon and then select one of the following depending on whether the logon screen is for a website or a program e Fora website select Add domain
67. m external media e The administrator can disable access to writeable devices for specific individuals or groups of users e Allows the administrator to schedule when access is provided to hardware Computrace for HP ProtectTools e Provides secure asset tracking e Can monitor user activity along with hardware and software changes e Remains active even if the hard drive is reformatted or replaced e Requires separate purchase of tracking and tracing subscription to activate HP ProtectTools security products description and common use examples Most of the HP ProtectTools security products have both a user authentication usually a password and an administrative backup to gain access if passwords are lost not available forgotten or any time corporate security requires access dl Ef NOTE Some of the HP ProtectTools security products are designed to restrict access to data Data should be encrypted when it is so important that the user would rather lose the information then have it compromised It is recommended that all data be backed up in a secure location Credential Manager Password Manager for HP ProtectTools Credential Manager part of Security Manager is a repository for user names and passwords It is most often used to save login names and passwords for Internet access or web mail Credential Manager can automatically log the user into a web site or mail ENWW HP ProtectTools security products desc
68. n method 4 When the confirmation dialog box opens read the text and then click OK If you later decide to edit the document follow these steps 1 Click the Office button in the upper left corner of the screen 2 Click Prepare and then click Mark as Final 3 When the confirmation dialog box opens click Yes and continue working 4 When you have completed your editing sign the document again Adding a signature line when signing a Microsoft Word or Microsoft Excel document Privacy Manager allows you to add a signature line when you sign a Microsoft Word or Microsoft Excel document 1 In Microsoft Word or Microsoft Excel create and save a document 2 Click the Home menu 3 Click the down arrow next to Sign and Encrypt and then click Add Signature Line Before Signing E NOTE A check mark is displayed next to Add Signature Line Before Signing when this option is selected By default this option is enabled 4 Click the down arrow next to Sign and Encrypt and then click Sign Document 5 Authenticate using your chosen security logon method Adding suggested signers to a Microsoft Word or Microsoft Excel document You can add more than one signature line to your document by appointing suggested signers A suggested signer is a user who is designated by the owner of a Microsoft Word or Microsoft Excel document to add a signature line to the document Suggested signers can be you or another person who you want to sign yo
69. n nennen nnn 28 Password Manager Icon settings ssssssssssesseeeeene enne enne enn nn nnn nnne 28 5 Drive Encryption Tor HP ProtectToo s eooor errore neenon toon rua knee erre ex Imo Pro sx a vaa erras vie EE REENEN 29 todereeoUlse p e PEE 30 Opening Drive Encryption co nies Eterno ea VEI eene EELER 30 General taSkS ot C 30 Activating Drive Encryption meme en nennen nnne 30 Deactivating Drive Eneryptlon eei eicere eee EUREN EES EEN 30 ENWW Logging in after Drive Encryption is activated ssssen 30 Advanced tasks eti EO EA a ete Pedes arde red RE Ee YE ede Eo e dederat 30 Managing Drive Encryption administrator ask 30 Activating a TPM protected password ss ssssssrrrsrrrsrrrrrrrrrrrrrrrrrrrrrrrrrrnrtnnn 30 Encrypting or decrypting individual drives eeene 31 Backup and recovery administrator task ssssssessennn eene 31 Creating backup Keys eite dece teet epe eee ee DDR e Ee edere Due a Ode 31 6 Privacy Manager for HP ProtectTools rre reatu reta por rt tha resa ib naar pb rb nana po rob ea Eve EFE E EXa sa o EE ua aan GE cae 32 Opening Melen e EE 32 Setup procedures eee 32 Managing Privacy Manager Certificates sssseene eee 32 Requesting and installing a Privacy Manager Certificate sssssssssesss 32 Requesting a Privacy Manager Certificate esseeeee 33
70. n the computer is turned on restarted or restored from hibernation Protects access to the Emergency Recovery Token which is a backup file for the embedded security chip Protects the system and the TPM chip from unauthorized access to all owner functions of Embedded Security Additional security elements 9 HP ProtectTools password Set in this Function HP ProtectTools module Smart Card PIN Smart Card Security Can be used as a multifactor authentication option Can be used as a Windows authentication Authenticates users of Drive Encryption if the Smart Card token is selected Computer Setup password BIOS by IT administrator Protects access to the Computer Setup utility NOTE Also known as BIOS administrator F10 Setup or Security Setup password Power on password BIOS Protects access to the computer contents when the computer is turned on restarted or restored from hibernation Windows Logon password Windows Control Panel Can be used for manual logon Creating a secure password When creating passwords you must first follow any specifications that are set by the program In general however consider the following guidelines to help you create strong passwords and reduce the chances of your password being compromised 10 Chapter 1 Use passwords with more than 6 characters preferably more than 8 Mix the case of letters throughout your password Whenever possible mix alphanumeric
71. n to websites and programs by authenticating with your enrolled credentials For more information on managing passwords refer to Password Manager for HP ProtectTools on page 25 Setting credentials You use your Security Manager Credentials to verify that you are really you The local administrator of this computer can set up which credentials may be used to prove your identity when logging onto your Windows account websites or programs Available credentials can vary depending on the security device built in or connected to the computer Each supported credential will have an entry in the Credentials group Changing your Windows password Security Manager makes changing your Windows password simpler or quicker than doing it through the Windows Control panel To change your Windows password 1 In HP ProtectTools Security Manager click Credentials in the left pane 2 Click Windows Password 3 Type your current password in the Current Windows password box 4 Type your new password in the New Windows password and Confirm new password boxes 5 Click Change Setting up a Smart Card ENWW Smart Card is an integrated part of Security Manager Smart Card setup and configuration is used with the HP Smart Card keyboard The Smart Card is a personal security device that protects authentication data requiring both the card and a PIN number to grant access like using an ATM card with a PIN The Smart Card can be used to access Pass
72. name to Password Manager e Fora program select Add this logon screen to Password Manager Enter your logon data Logon fields on the screen and their corresponding fields on the dialog are identified with a bold orange border Other options for displaying this dialog are available such as selecting Add Logon from the Password Manager Manage tab Some options depend on the security devices connected to the computer for example using the Ctrl H Hot Key or inserting a smart card e Click the arrows to the right of a logon field to populate it with one of several preformatted choices e Optionally click Choose other fields to add additional fields from the screen to your logon e Deselect Submit logon data if you want the logon fields filled in but do not want them submitted e f you want to view the password for this logon click Show password Click OK The plus sign is removed from the Password Manager icon letting you know that the logon has been created Enter the Windows password and click the green arrow Now every time that you go to that website or launch that program the Password Manager icon will appear indicating that you can use your registered credential s to log on Editing logons To edit a logon 1 2 Chapter 4 Open the logon screen for a website or program Click the arrow on the Password Manager icon and select Edit logon to display a dialog where you can edit your logon information Logon fiel
73. nd put it in a safe place This file should be for your use only and is required in case you need to restore your Privacy Manager Certificate and associated keys Enter and confirm a password and then click Next Authenticate using your chosen security logon method If you choose to begin the Trusted Contact invitation process follow the on screen instructions If you click Cancel refer to Managing Trusted Contacts for information on adding a Trusted Contact at a later time Viewing Privacy Manager Certificate details ENWW 1 2 3 4 In the Security Manager left pane expand Privacy Manager and click Certificate Manager Click a Privacy Manager Certificate Click Certificate details When you have finished viewing the details click OK Setup procedures 33 Renewing a Privacy Manager Certificate When your Privacy Manager Certificate nears expiration you will be notified that you need to renew it 1 2 3 4 In the Security Manager left pane expand Privacy Manager and click Certificate Manager Click a Privacy Manager Certificate Click Renew certificate Follow the on screen instructions to purchase a new Privacy Manager Certificate Er NOTE The Privacy Manager Certificate renewal process does not replace your old Privacy Manager Certificate You will need to purchase a new Privacy Manager Certificate and install it using the same procedures as in Requesting and installing a Privacy Manager Certificate
74. nt 38 signing and sending an e mail message 41 using Privacy Manager in Microsoft Office 37 using Privacy Manager in Microsoft Outlook 41 viewing a sealed e mail message 41 viewing a signed Microsoft Office document 40 viewing an encrypted Microsoft Office document 40 Index 63 viewing Privacy Manager certificate details 33 viewing trusted contact details 37 R restricting access to sensitive data 7 device access 53 S security key objectives 6 levels 13 logging in 18 login methods 13 roles 9 setup wizard 13 security setup password 10 shred profile customizing 45 predefined 44 selecting or creating 44 simple delete profile customizing 45 smart card initializing 20 PIN 10 registering 20 setting up 19 T targeted theft protecting against 7 57 TPM chip enabling 49 initializing 50 tracking acomputer 57 U unauthorized access preventing 8 W Windows Logon password 10 64 Index ENWW
75. ocument Follow the steps in this section to encrypt the document again Removing the encryption from a Microsoft Office document When you remove encryption from a Microsoft Office document you and your Trusted Contacts are no longer required to authenticate to open and view the contents of the document To remove encryption from a Microsoft Office document 1 Open an encrypted Microsoft Word Microsoft Excel or Microsoft PowerPoint document 2 Authenticate using your chosen security logon method 3 Click the Home menu 4 Click the down arrow next to Sign and Encrypt and then click Remove Encryption Sending an encrypted Microsoft Office document You may attach an encrypted Microsoft Office document to an e mail message without signing or encrypting the e mail itself To do this create and send an e mail with a signed or encrypted document just as you normally would a regular e mail with an attachment However for optimum security it is recommended that you encrypt the e mail when attaching a signed or encrypted Microsoft Office document To send a sealed e mail with an attached signed and or encrypted Microsoft Office document follow these steps 1 n Microsoft Outlook click New or Reply 2 Type your e mail message 3 Attach the Microsoft Office document 4 Refer to Sealing and sending an e mail message for further instructions Viewing a signed Microsoft Office document E NOTE You do not need to have a Priv
76. oft Office documents or instant messaging IM For more information on Privacy Manager for HP ProtectTools refer to Privacy Manager for HP ProtectTools on page 32 20 Chapter 3 HP ProtectTools Security Manager ENWW Shredding or bleaching files File Sanitizer for HP ProtectTools deletes files by overwriting them with meaningless data This process referred to as shredding greatly enhances information security by making the deleted files very difficult to recover File Sanitizer further enhances information security by overwriting previously used space on the hard drive using a process referred to as bleaching Files deleted using File Sanitizer cannot be recovered by the Operating System or other commonly available file recovery software For more information on using File Sanitizer for HP ProtectTools refer to File Sanitizer for HP ProtectTools on page 43 Viewing drive encryption status Drive Encryption is set up by the Windows Administrator in the Administrative Console Users can view their encryptions status in Security Manager To view drive encryption status 1 Click Start click All Programs click HP and then click HP ProtectTools Security Manager 2 In the Security Manager left pane click Drive Encryption gt Encryption Status The Encryption Status page shows if drive encryption is active or inactive and which drives are encrypted or not encrypted Viewing device access Device Access is
77. ols ENWW Scenario A Simple Configuration policy is configured to deny all non Device Administrators access to the DVD CD ROM drive Result A JITA enabled user attempts to access the DVD CD ROM drive they receive the same access denied message as a non JITA enabled user In addition another popup will display asking for the users credentials Once the user successfully authenticates to Security Manager they will be granted access to the DVD CD ROM drive The JITA period can be authorized for a set number of minutes or 0 minutes A JITA period of 0 minutes will not expire the user will have access to the device from the time they authenticate until the time they log off the system The JITA period can also be extendable In this scenario 1 minute before their JITA period is about to expire they can click the prompt and extend their access without having to re authenticate Whether the user is given a limited or unlimited JITA period as soon as they log off the system or switch their user and login as someone else the JITA period expires The next time the user logs in and attempts to access a JITA enabled device they will be prompted for their credentials At present JITA is available for the following device classes e DVD CD ROM e Removable Media This section provides information about the following topics e Creating a JITA for a user or group e Creating an extendable JITA for a user or group e Disabling a JITA for a User or Grou
78. or any custom files to be permanently removed automatically Device Access Manager for HP ProtectTools Device Access Manager for HP ProtectTools can be used to block unauthorized access to USB flash drives where data could be copied It can also restrict access to CD DVD drives control of USB devices network connections etc An administrator can also schedule when or how long drives can be accessed An example would be a situation where outside vendors need access to company computers but should not be able to copy the data to a USB drive Device Access Manager for HP ProtectTools allows an administrator to restrict and manage access to hardware Example 1 A Manager of a medical supply company often works with personal medical records along with his company information The employees need access to this data however it is extremely important that the data is not removed from the computer by a USB drive or any other external storage media The network is secure but the computers have CD burners and USB ports that could allow the data to be copied or stolen The Manager uses Device Access Manager to disable the USB ports and CD burners so they cannot be used Even though the USB ports are blocked mouse and keyboards will continue to function Example 2 An Insurance company does not want its employees to install or load personal software or data from home Some employees need access to the USB port on all computers The IT Manager uses Device Ac
79. ork administrators to manage systems remotely at the BIOS level bleaching see free space bleaching certification authority Service that issues the certificates required to run a public key infrastructure credentials Method by which a user proves eligibility for a particular task in the authentication process cryptographic service provider CSP Provider or library of cryptographic algorithms that can be used in a well defined interface to perform particular cryptographic functions cryptography Practice of encrypting and decrypting data so that it can be decoded only by specific individuals decryption Procedure used in cryptography to convert encrypted data into plain text digital certificate Electronic credentials that confirm the identity of an individual or a company by binding the identity of the digital certificate owner to a pair of electronic keys that are used to sign digital information digital signature Data sent with a file that verifies the sender of the material and that the file has not been modified after it was signed domain Group of computers that are part of a network and share a common directory database Domains are uniquely named and each has a set of common rules and procedures 58 Glossary ENWW Drive Encryption key recovery service The SafeBoot Recovery Service It stores a copy of the encryption key enabling you to access your computer if you forget your password and do not have acce
80. oup sssse eene 54 Just In Time Authentication JITA Configuration sssssseneenn eene 54 Creating a JITA for a user or group sssssse nnnm eene nennen nennen enne 55 viii ENWW Creating an extendable JITA for a user OF group ccccccceecsnecceeeeesneeeecescnseeeeeesnteeeeesenaes 55 Disabling a JITA for a user or group eccceceesceceeeeeeeeeneeeecaeeeeceeeeeecaaeeeeeeeeesseeeseneeeteaeees 56 Advanced ln e 56 10 Computrace for HP ProtectTools et sais cinsaisiaievacasisiciavasdaasdsccsvntedstsdsecutadaicaas tvsadatoodivssasatsauiaviaasitabvvndeasteads 57 ONS e EE 58 DOON e 62 ENWW ENWW ENWW Introduction to security HP ProtectTools security software provides security features that help protect against unauthorized access to the computer networks and critical data Enhanced security functionality is provided by several HP ProtectTools software modules HP ProtectTools provides two versions that can be utilized HP ProtectTools Security Manager Administrative Console and HP ProtectTools Security Manager for general users Both Administrator and user versions are available in the Start gt All Programs gt HP menu Function Features HP ProtectTools Security Manager Administrative e Requires Microsoft Windows system administrator rights to Console access e Access to modules to be configured by an administrator and not available to the general user e Allows initial se
81. p Creating a JITA for a user or group Administrators can allow users or group access to devices using just in time authentication 1 In the left pane of HP ProtectTools Administrative Console click Device Access Manager and then click JITA Configuration 2 From the devices drop down menu select either removable media or DVD CD ROM drives 3 Using the button add a user or group to the JITA configuration 4 Click the Enabled check box 5 Get be JITA period to the required time 6 Click the Apply button The selected user can now login authenticate to Security Manager and access the device Creating an extendable JITA for a user or group ENWW Administrators can allow users or group access to devices using just in time authentication 1 In the left pane of HP ProtectTools Administrative Console click Device Access Manager and then click JITA configuration 2 From the devices drop down menu select either removable media or DVD CD ROM drives 3 Using the button add a user or group to the JITA configuration 4 Click the Enabled check box Just In Time Authentication JITA Configuration 55 5 Set the JITA period to the required time 6 Click the Extendable check box 7 Click the Apply button The selected user can now login authenticate to Security Manager and access the device One minute before the JITA period is about to expire the user will be prompted to extend their JITA period Disabling a J
82. profile which allows you to specify the number of shred cycles which assets to include for shredding which assets to confirm before shredding and which assets to exclude from shredding You can set up an automatic shred schedule and you can also manually shred assets whenever you want About free space bleaching Free space bleaching allows you to securely write random data over deleted assets preventing users from viewing the original contents of the deleted asset NOTE Free space bleaching is for those assets that you delete using the Windows Recycle Bin or when you manually delete an asset Free space bleaching provides no additional security to shredded assets You can set an automatic free space bleaching schedule or you can manually activate free space bleaching using the HP ProtectTools icon in the notification area at the far right of the taskbar Setup procedures Opening File Sanitizer ENWW To open File Sanitizer 1 Click Start click All Programs click HP and then click HP ProtectTools Security Manager 2 Inthe Security Manager left pane click File Sanitizer or e Double click the File Sanitizer icon or e Right click the HP ProtectTools icon in the notification area at the far right of the taskbar highlight File Sanitizer and then click Open File Sanitizer Setup procedures 43 Setting a free space bleaching schedule NOTE Free space bleaching is for those assets that you delete using t
83. rdware and firmware that provides security against attacks on a computer s software and data user Anyone enrolled in Drive Encryption Non administrator users have limited rights in Drive Encryption They can only enroll with administrator approval and log in Windows administrator A user with full rights to modify permissions and manage other users Windows user account Profile for an individual authorized to log on to a network or to an individual computer ENWW Glossary 61 Index A access controlling 53 preventing unauthorized 8 accessing HP ProtectTools Security 6 account basic user 50 advanced tasks Device Access Manager 54 Embedded Security 52 B background service Device Access Manager 53 backing up and restoring certification information 52 Embedded Security 52 backup and restore 22 basic user account 50 Basic User Key password setting 50 BIOS administrator password 10 C changing Windows password 19 common use examples 3 Computer Setup administrator password 10 Computrace for HP ProtectTools common use examples 6 configuring users 13 controlling device access 53 D data restricting access to 7 decrypting a drive 29 Device Access Manager for HP ProtectTools background service 53 common use examples 5 device class configuration 54 JITA configuration 54 simple configuration 53 user or group adding 54 62 Index user or group denying access to 54 user or group removing 54 D
84. ring the behavior of Security Manager and its applications To modify the settings 1 Click Start click All Programs click HP and then click HP ProtectTools Administrative Console 2 Inthe Administrative Console left pane click Settings 3 On the General tab choose the general settings for HP ProtectTools Security Manager then click the Apply button 4 Onthe Applications tab select the applications you want to enable or disable then click the Apply button amp NOTE Enabling or disabling an application may not take effect until the computer is restarted 16 Chapter 2 HP ProtectTools Security Manager Administrative Console ENWW Encrypting Drives Drive Encryption for HP ProtectTools allows you to encrypt computer hard drives making the hard drive unreadable and inaccessible to any unauthorized person who might try to access it even if the drive has been removed from the computer or sent to a data recovery service To enable or disable Drive Encryption click on the Setup Wizard in the Administrative Console For more information on using Drive Encryption for HP ProtectTools refer to Drive Encryption for HP ProtectTools on page 29 Managing Device Access ENWW Device Access Manager for HP ProtectTools provides advanced security options to selectively disallow various types of devices that can compromise the security of your PC For more information on using Device Access Manager for HP ProtectTools refer
85. ription and common use examples 3 Example 1 A Purchasing Agent for a large manufacturer makes most of her corporate transactions over the Internet She also frequently visits several popular web sites that require login information She is keenly aware of security so does not use the same password on every account The Purchasing Agent has decided to use Credential Manager to match web links with different user names and passwords When she goes to a web site to log in Credential Manager presents the credentials automatically If she wants to view the user names and password Credential Manager can be configured to reveal them Credential Manager can also be used to manage and organize the authentications This tool will allow a user to select what web or network asset they choose and directly access the link The user can also view the user names and passwords when necessary Example 2 A hard working CPA has been promoted and will now manage the entire accounting department The team must log into a large number of client web accounts with each account using different login information This login information needs to be shared with other workers so confidentiality is an issue The CPA decides to organize all the web links company user names and passwords within Credential Manager for HP ProtectTools Once complete the CPA deploys Credential Manager to the employees so they can work on the web accounts and never know the login credentials that
86. rive Encryption for HP ProtectTools activating 30 activating a TPM protected password 30 backup and recovery 31 common use examples 4 creating backup keys 31 deactivating 30 decrypting individual drives 30 encrypting individual drives 30 logging in after Drive Encryption is activated 30 managing Drive Encryption 30 opening 30 E Embedded Security for HP ProtectTools backup file creating 52 basic user account 50 Basic User Key 50 certification data restoring 52 common use examples 4 enabling TPM chip 49 encrypted e mail 51 encrypting files and folders 51 initializing chip 50 installing 49 migrating keys 52 owner password changing 52 password 9 Personal Secure Drive 51 resetting user password 52 setup procedures 49 emergency recovery 50 emergency recovery token password definition 9 setting 50 enabling TPM chip 49 encrypting adrive 29 encrypting files and folders 51 F F10 Setup password 10 features HP ProtectTools 2 File Sanitizer 46 File Sanitizer for HP ProtectTools aborting a shred or free space bleaching operation 48 bleaching 43 common use examples 5 manually activating free space bleaching 47 manually shredding all selected items 47 manually shredding one asset 47 opening 43 predefined shred profile 44 setting a bleaching schedule 44 setting ashred schedule 44 setup procedures 43 shred profile 45 shred profile selecting or creating 44 shredding 43 simple delete profile 45 using key s
87. rowser open Choose this option to shred all selected Web related assets such as browser URL history when you open a Web browser e Web browser quit Choose this option to shred all selected Web related assets such as browser URL history when you close a Web browser e Key sequence Choose this option to initiate shredding using a key sequence e Scheduler Select the Activate Scheduler check box enter your Windows password and then enter a day and time to shred selected assets 3 Click the Save icon Selecting or creating a shred profile You can specify a method of erasure and select the assets to shred by selecting a predefined profile or by creating your own profile Selecting a predefined shred profile When you choose a predefined shred profile High Security Medium Security or Low Security a predefined erasure method and list of assets are automatically selected You can click the View Details button to view the predefined list of assets that are selected for shredding 44 Chapter 7 File Sanitizer for HP ProtectTools ENWW To select a predefined shred profile 1 2 3 4 5 In the Security Manager left pane expand File Sanitizer and click Settings Click a predefined shred profile Click View Details to view the list of assets that are selected for shredding Under Shred the following select the check box next to each asset that you want to confirm before shredding Click Apply Customizing
88. s This security tool is available to administrators only Device Access Manager for HP ProtectTools has the following security features that protect against unauthorized access to devices attached to your computer system Device profiles that are created for each user to define device access Device access that can be granted or denied on the basis of group membership Er NOTE Device Access Manager uses Windows Local Users and Groups to manage access Windows Home versions do not support Local Users and Groups therefore Device Access Manager will not function properly However Device Access Manager will work in Microsoft Windows Vista Home version if you use DOS commands for the user setup Refer to the Device Access Manager help file for instructions Starting background service For device profiles to be applied the HP ProtectTools Device Locking Auditing background service must be running When you first attempt to apply device profiles HP ProtectTools Administrative Console opens a dialog box to ask if you would you like to start the background service Click Yes to start the background service and set it to start automatically whenever the system boots Simple configuration Device Access Manager creates a new User Group during initialization called Device Administrators for accessing or exploring devices as an administrator Place users in this group that you want to have administrative access to the devices you control through Device
89. s set through Security Manager and against the credentials required to meet those policies To view the policies in force for a specific user select the user from the list and click the View Policies button To supervise a users while they enroll credentials select the user from the list and click the Enroll button Adding a user ENWW This process adds users to the Drive Encryption logon list Before you add a user that user must already have a Windows user account on the computer and must be present during the following procedure to provide the password To add a User to the users list 1 Click Start click All Programs click HP and then click HP ProtectTools Administrative Console In the Administrative Console left pane click User Click the Add button The Select Users dialog box opens Click the Advanced button and then click the Find Now button to search for users to add Click a user to be added to the list and then click OK Click OK in the Select Users dialog box Se Ae Ser pe Type the Windows password for the selected account and then click Finish Er NOTE You must use an existing Windows account and type it exactly You cannot modify or add a Windows user account using this dialog box Configuring your system 15 Removing a user NOTE This procedure does not delete the Windows user account It only removes that account from Security Manager To completely remove the user you must remove the
90. session 1 2 3 14 Chapter 2 In the left pane of the Administrative Console expand Security and click on Authentication On the Session tab select a category of user In the Policy section specify the authentication credential s required for the selected category of user by clicking the check box or boxes next to the listed credentials You must specify at least one credential HP ProtectTools Security Manager Administrative Console ENWW 4 Inthe Policy section drop down list choose whether ANY only one of the specified credentials are required or if ALL of the specified credentials are required in order to authenticate a user 5 Click the Apply button Defining Settings You can specify which advanced security settings to allow To edit the settings 1 In the left pane of the Administrative Console expand Security and click on Settings 2 Click the appropriate check box to enable or disable a specific setting 3 Click the Apply button to save the changes E NOTE The Allow One Step logon setting allows users of this computer to skip Windows logon if authentication was performed at the BIOS or encrypted disk level Managing Users Within the Users application Windows administrator can manage this computer s users and the policies that affect them To access the Users application in the Administrative Console click on Users The HP ProtectTools users are listed and verified against the authentication policie
91. set up by the Windows Administrator in the Administrative Console Users can view their device access setting in Security Manager To view device access settings 1 Click Start click All Programs click HP and then click HP ProtectTools Security Manager 2 Inthe Security Manager left pane expand Device Access Manager 3 To view which devices are denied access click Simple Configuration Devices with a check mark next to them are denied access 4 To view which users or groups are denied access click Device Class Configuration 5 Click on a device to see which users or groups are denied or allowed access to a device Activating theft recovery HP ProtectTools utilizes Computrace by Absolute Software to remotely monitor manage and track your computer If your computer is lost or stolen Absolute s Recovery Team will partner with law enforcement towards recovery For more information on using Computrace refer to Computrace for HP ProtectTools on page 57 ENWW Shredding or bleaching files 21 Adding applications Additional applications may be available to add new features to this program 1 Click Start click All Programs click HP and then click HP ProtectTools Security Manager 2 Inthe Security Manager left pane select the Administration drop down menu and click Discover More E NOTE If there is no Discover More link it has been disabled by the administrator of your computer 3 On the Add Applications tab bro
92. ss to your local backup key You must create an account with the service to set up online access to your backup key Drive Encryption logon screen A logon screen that is displayed before Windows starts up Users must enter their Windows user name and the password or Smart Card PIN Under most circumstances entering the correct information at the Drive Encryption logon screen allows access directly into Windows without having to log in again at the Windows logon screen DriveLock Security feature that links the hard drive to a user and requires the user to correctly type the DriveLock password when the computer starts up emergency recovery archive Protected storage area that allows the reencryption of basic user keys from one platform owner key to another Encryption File System EFS System that encrypts all files and subfolders within the selected folder encryption Procedure such as use of an algorithm employed in cryptography to convert plain text into cipher text in order to prevent unauthorized recipients from reading that data There are many types of data encryption and they are the basis of network security Common types include Data Encryption Standard and public key encryption free space bleaching The secure writing of random data over deleted assets on the hard drive to distort the contents of the deleted assets making recovery of the data more difficult key sequence A combination of specific keys that when press
93. t settings are configured to do so Click OK Adding a suggested signer s signature line When suggested signers open the document they will see their name in brackets indicating that their signature is required To sign the document 1 2 Double click the appropriate signature line Authenticate using your chosen security logon method The signature line will be shown according to the settings specified by the owner of the document Encrypting a Microsoft Office document You can encrypt a Microsoft Office document for you and for your Trusted Contacts When you encrypt a document and close it you and the Trusted Contact s you select from the list must authenticate before opening it To encrypt a Microsoft Office document 1 2 3 4 In Microsoft Word Microsoft Excel or Microsoft PowerPoint create and save a document Click the Home menu Click the down arrow next to Sign and Encrypt and then click Encrypt Document The Select Trusted Contacts dialog box opens Click the name of a Trusted Contact who will be able to open the document and view its contents Er NOTE To select multiple Trusted Contact names hold down the Ctrl key and click the individual names General tasks 39 5 Click OK 6 Authenticate using your chosen security logon method If you later decide to edit the document follow the steps in Signing a Microsoft Office Document When the encryption is removed you can edit the d
94. tained a Privacy Manager Certificate a message informs you that you must have a Privacy Manager Certificate in order to send a Trusted Contact request Click OK to launch the Certificate Request Wizard Authenticate using your chosen security logon method 36 Chapter6 Privacy Manager for HP ProtectTools ENWW dl E NOTE When the e mail is received by the Trusted Contact recipient the recipient must open the e mail and click Accept in the lower right corner of the e mail and then click OK when the confirmation dialog box opens 7 When you receive an e mail response from a recipient accepting the invitation to become a Trusted Contact click Accept in the lower right corner of the e mail A dialog box opens confirming that the recipient has been successfully added to your Trusted Contacts list 8 Click OK Viewing Trusted Contact details 1 In the Security Manager left pane expand Privacy Manager and click Trusted Contacts Manager 2 Click a Trusted Contact 3 Click Contact details 4 When you have finished viewing the details click OK Deleting a Trusted Contact 1 In the Security Manager left pane expand Privacy Manager and click Trusted Contacts Manager 2 Click the Trusted Contact you want to delete 3 Click Delete contact 4 When the confirmation dialog box opens click Yes Checking revocation status for a Trusted Contact 1 In the Security Manager left pane expand Privacy Manager and c
95. ted e System files and compressed files cannot be encrypted and encrypted files cannot be compressed e Temporary folders should be encrypted because they are potentially of interest to hackers e Arecovery policy is automatically set up when you encrypt a file or folder for the first time This policy ensures that if you lose your encryption certificates and private keys you will be able to use a recovery agent to decrypt your information amp NOTE Encrypting files and folders is not supported on Windows Home versions To encrypt files and folders 1 Right click the file or folder that you want to encrypt 2 Click Encrypt 3 Click one of the following options e Apply changes to this folder only e Apply changes to this folder subfolders and files 4 Click OK Sending and receiving encrypted e mail Embedded Security enables you to send and receive encrypted e mail but the procedures vary depending upon the program you use to access your e mail For more information refer to the Embedded Security software Help and the software Help for your e mail program ENWW General tasks 51 Advanced tasks Backing up and restoring The Embedded Security backup feature creates an archive that contains certification information to be restored in case of emergency Creating a backup file To create a backup file 1 Click Start click All Programs click HP and then click HP ProtectTools Security Manager 2 In the left
96. tication policies Security Manager authentication policies for this computer are defined on two tabs Logon and Session which specify the credentials required to authenticate each class of user when accessing the computer and HP ProtectTools applications during a user session Logon tab To specify the credentials required to access the computer decrypt the hard drive and log on to Windows 1 In the left pane of the Administrative Console expand Security and click on Authentication 2 On the Logon tab select a category of user from the drop down list 3 In the Policy section specify the authentication credential s required for the selected category of user by clicking the check box or boxes next to the listed credentials You must specify at least one credential 4 Inthe Policy section drop down list choose whether ANY only one of the specified credentials are required or if ALL of the specified credentials are required in order to authenticate a user 5 Click the Apply button Er NOTE Ifthe Policy is set to ALL of the specified credentials are required to authenticate and the system is configured for both password and Smart Card and the Smart Card is damaged or lost all administrators could be locked out of Windows and require special tools to regain access Session tab To define policies governing the credentials required to authenticate a user when logging on to HP ProtectTools applications during a Windows
97. ty features 1 50 Chapter 8 If the Embedded Security User Initialization Wizard is not open click Start click All Programs click HP and then click HP ProtectTools Security Manager In the left pane click Embedded Security and then click User Settings In the right pane under Embedded Security Features click Configure The Embedded Security User Initialization Wizard opens Follow the on screen instructions Embedded Security for HP ProtectTools ENWW dl E NOTE Touse secure e mail you must first configure the e mail client to use a digital certificate that is created with Embedded Security If a digital certificate is not available you must obtain one from a certification authority For instructions on configuring your e mail and obtaining a digital certificate refer to the e mail client software Help General tasks After the basic user account is set up you can perform the following tasks e Encrypting files and folders e Sending and receiving encrypted e mail Using the Personal Secure Drive After setting up the PSD you are prompted to type the Basic User Key password at the next logon If the Basic User Key password is entered correctly you can access the PSD directly from Windows Explorer Encrypting files and folders When working with encrypted files consider the following rules e Only files and folders on NTFS partitions can be encrypted Files and folders on FAT partitions cannot be encryp
98. ule TPM embedded security chip must be installed in your computer to use Embedded Security for HP ProtectTools Most HP commercial desktop computers include the Infineon TPM which is the only common criteria certified chip to meet TCG specifications Embedded Security for HP ProtectTools protects against unauthorized access to user data or credentials This software module provides the following security features e Enhanced Microsoft Encryption File System EFS file and folder encryption EFS is not available on Windows Home versions e Creation of a personal secure drive PSD for protecting user data e Data management functions such as backing up and restoring the key hierarchy e Support for third party applications such as Microsoft Outlook and Internet Explorer for protected digital certificate operations when using the Embedded Security software The TPM embedded security chip enhances and enables other HP ProtectTools Security Manager security features For example Drive Encryption for HP ProtectTools can use the embedded chip as an authentication factor when the user logs on to Windows Setup procedures A CAUTION To reduce security risk it is highly recommended that your IT administrator immediately initialize the embedded security chip Failure to initialize the embedded security chip could result in an unauthorized user a computer worm or a virus taking ownership of the computer and gaining control over the owner tasks
99. ur document For example if you prepare a document that needs to be signed by all members of your department you can include signature lines for those users at the bottom of the final page of the document with instructions to sign by a specific date 38 Chapter6 Privacy Manager for HP ProtectTools ENWW ENWW To add a suggested signer to a Microsoft Word or Microsoft Excel document 1 2 3 ET 8 In Microsoft Word or Microsoft Excel create and save a document Click the Insert menu In the Text group on the toolbar click the arrow next to Signature Line and then click Privacy Manager Signature Provider The Signature Setup dialog box opens In the box under Suggested signer enter the name of the suggested signer In the box under Instructions to the signer enter a message for this suggested signer NOTE This message will appear in place of a title and is either deleted or replaced by the user s title when the document is signed Select the Show sign date in signature line check box to show the date Select the Show signer s title in signature line check box to show the title NOTE Because the owner of the document assigns suggested signers to his or her document if the Show sign date in signature line and or Show signer s title in signature line check boxes are not selected the suggested signer will not be able to display the date and or title in the signature line even if the suggested signer s documen
100. urity Manager for general users Configure and change File Sanitizer Shred Bleaching and Settings View settings for Encryption Status and Device Access Manager Use Privacy Manager to increase security of e mails and documents Activate Computrace for HP ProtectTools Configure Preferences and Backup and Restore options Credential Manager for HP ProtectTools part of Security Manager Organize set up and change user names and passwords Configure and change user credentials such as Windows password and Smart Card Acts as a personal password vault streamlining the logon process with the Single Sign On feature which automatically remembers and applies user credentials Create and Organize single sign on user names and passwords Drive Encryption for HP ProtectTools Provides complete full volume hard drive encryption Forces pre boot authentication in order to decrypt and access the data on the hard drive Offers the option to activate SED drives Self Encrypting Drives if equipped Privacy Manager for HP ProtectTools Used to obtain Certificates of Authority which verify the source integrity and security of communication when using Microsoft e mail and Microsoft Office documents File Sanitizer for HP ProtectTools Allows you to securely shred digital assets securely delete sensitive information including application files historical or Web related content or other confidential data
101. urity Manager requires administrative privileges The HP ProtectTools Security Manager Setup Wizard guides you through setting up the security features of HP ProtectTools However there is a wealth of additional functionality available through the HP ProtectTools Security Manager Console The same settings found in the wizard as well as additional security features can be configured through the console accessed from the Windows Start menu or from a link within the Administrative console These settings apply to the computer and all users who share the computer The first time that you log on to Windows you will be prompted to set up HP ProtectTools Security Manager Click OK to launch the Security Manager Setup wizard which will guide you through the basic steps in configuring the program NOTE You can also launch the Security Wizard by clicking Security Wizard in the bottom section of the left pane on the Administrative Console Follow the on screen instructions in the Setup Wizard until setup is complete If you do not complete the wizard it will launch automatically until you click Do not show this wizard again To use the HP ProtectTools Security Manager applications launch HP ProtectTools Security Manager from the Start menu or by right clicking the Security Manager icon in the taskbar notification area system tray The Security Manager console and its applications are available to all users who share this computer Confi
102. urity features users and authentication devices such as smart card readers e Applications Includes tools for configuring the behavior of Security Manager and its applications e Data Provides tools for managing drive encryptions and backing up and recovering encryption keys e Computer Device Access Manager provides advanced security options to selectively disallow various types of devices that could compromise PC security and set access permissions for various users and groups e Communications Privacy Manager allows the user to manage third party certificates for e mail authentication Embedded Security allows the user to exchange TPM encrypted e mail 12 Chapter 2 HP ProtectTools Security Manager Administrative Console ENWW e Management Tools Opens your default browser to a web page where you can discover additional management applications and tools that extend the features of Security Manager as well as a means to stay notified when new applications and updates are available e Links Provides the following Setup Wizard Launches the Setup Wizard which guides you through the initial configuration of Security Manager Help Opens the help file which provides information about Security Manager and its applications About Displays information about HP ProtectTools Security Manager including the version number and copyright notice Getting Started Setup Wizard Administration of HP ProtectTools Sec
103. usted contacts A task that adds a digital signature encrypts the e mail and sends it after you authenticate using your chosen security logon method security logon method The method used to log in to the computer Send Security button A software button that is displayed on the toolbar of Microsoft Outlook e mail messages Clicking the button allows you to sign and or encrypt a Microsoft Outlook e mail message shred cycle The number of times the shred algorithm is executed on each asset The higher the number of shred cycles you select the more secure the computer is shred profile A specified erasure method and list of assets shred The execution of an algorithm that obscures the data contained in an asset Sign and Encrypt button A software button that is displayed on the toolbar of Microsoft Office applications Clicking the button allows you to sign encrypt or removing encryption in a Microsoft Office document signature line A placeholder for the visual display of a digital signature When a document is signed the signer s name and verification method are displayed The signing date and the signer s title can also be included simple delete Deletion of the Windows reference to an asset The asset content remains on the hard drive until obscuring data is written over it by free space bleaching Smart Card A removable card that is inserted into the computer It contains identification information for logon Loggin
104. word Manager Drive Encryption PreBoot or future third party access points Smart Card options remain hidden until a Smart Card reader is detected With Smart Card security you can accomplish the following tasks e Access Smart Card Security features e Work with the Security Manager Setup utility to enable Smart Card authentication e Smart Card can be used as an authentication method in Drive Encryption preboot e Smart Card can be used in conjunction with other authentication methods e Administrative Console can initialize the PIN Managing passwords 19 Initializing the Smart Card HP ProtectTools Security Manager can support a number of different Smart Cards The number and type of characters used as PIN numbers may vary The manufacturer of the Smart Card should provide tools to install a security certificate and management PIN that ProtectTools will use in its security algorithm E NOTE The manufacture s Smart Card software will often provide an unlock key Most Smart Cards will lock themselves when the PIN is entered wrong 5 times The key is used to unlock the card 1 Once the Smart Card is set up with the manufacturer s software insert the card into the reader 2 Click Start click All Programs click HP and then click HP ProtectTools Administrative Console 3 In the Administrative Console click Devices click Configure the use of the smart card then click the Setup a Smart Card tab 4 Ensure that Initialize t
105. wse for additional applications 4 On the Updates and Messages tab you can stay informed about new applications and updates by clicking the Keep me informed about new applications and updates check box and setting a number of days to check for updates or you can click the Check Now button to immediately check for updates Setting preferences The Preferences page allows you to select the Show icon on the taskbar check box to display the Security Manager icon in the taskbar notification area system tray To access the Preferences page 1 Click Start click All Programs click HP and then click HP ProtectTools Security Manager 2 Inthe Security Manager left pane click Advanced and then click Preferences 3 Check or uncheck the Show icon on the taskbar check box and click Apply Backup and Restore It is a good practice to backup your Security Manager data on a regular basis How often you back it up depends on how often the data changes For instance if you regularly add new logons on a daily basis you should probably back up your data daily Backups can also be used to migrate from one computer to another also sometimes called importing and exporting Remember though that only the data is backed up by this feature If you restore the backup file to another computer or to the same computer after reinstalling the operating system the system must have HP ProtectTools Security Manager already installed before restoring the data
106. y of the encryption key so only they can decrypt the confidential e mail Computrace for HP ProtectTools formerly known as LoJack Pro Computrace for HP ProtectTools is a service that can track the location of a stolen computer whenever the user accesses the Internet Example 1 A school principal instructed the IT department to keep track of all the computers at his school After the inventory of the PCs was made the IT Administrator registered all the computers with Computrace so they could be traced in case they were ever stolen Recently the school realized several computers were missing so the IT Administrator alerted authorities and Computrace officials The computers were located and were returned to the school by the authorities Computrace for HP ProtectTools can also help remotely manage and locate computers as well as monitor computer usage and applications Example 2 A real estate company needs to manage and update computers all over the world They use Computrace to monitor and update the computers without having to send an IT person to each computer Accessing HP ProtectTools Security To access HP ProtectTools Security Manager from the Windows Start menu A In Windows click Start click All Programs click HP and then click HP ProtectTools Security Manager To access HP ProtectTools Security Manager Administrative Console from the Windows Start menu A In Windows click Start click All Programs click HP and then c
Download Pdf Manuals
Related Search