Lenovo ThinkVantage (Client Security Solution 8.21) User Manual

ClientSecuritySolution8.21DeploymentGuideUpdated:February,2012

youcreate.Createthissecureenvironmentassoonaspossible,beforeapasswordisforgotten.Youcannotresetaforgottenhardwarepassworduntilthissecureenvironmentisc

Chapter2.InstallationThischaptercontainsinstructionsforinstallingClientSecuritySolution,andFingerprintSoftware.BeforeinstallingClientSecuritySolutiono

CustompublicpropertiesTheinstallationpackagefortheClientSecuritySoftwareprogramcontainsasetofcustompublicpropertiesthatcanbesetonthecommandlinewhenrun

Afterownershipofthesystemiscongured,eachadditionalWindowsuserthatlogsintothesystemisautomaticallypromptedwiththeClientSecuritysSetupwizardinordertoen

customizationsaremade,theusercallsmsiexec.exefromthecommandline,passingthenameoftheunpackedMSIle.Thefollowingparametersanddescriptionsaredocumentedin

Table3.CommandlineparametersParameterDescription/IpackageorproductcodeUsethisformattoinstalltheproduct:Othello:msiexec/i"C:\WindowsFolder\Proles

Table3.Commandlineparameters(continued)ParameterDescriptionYoucanseparatemultipletransformswithasemicolon.Donotusesemicolonsinthenameofyourtransform,a

Table4.WindowsInstallerproperties(continued)PropertyDescriptionARPSYSTEMCOMPONENTPreventsdisplayofapplicationintheAddorRemoveProgramslist.ARPURLINFOAB

Table6.InstallationexamplesusingClientSecurity-PasswordManager.msiDescriptionExampleInstallationmsiexec/i“C:\CSS82\ClientSecuritySolution-PasswordMana

Table7.OptionssupportedbytheFingerprintSoftwareParameterDescriptionCTRLONCEDisplaystheControlCenteronlyonce.Thedefaultvalueis0.CTLCNTRRunstheControlCe

Note:Beforeusingthisinformationandtheproductitsupports,readthegeneralinformationinAppendixD“Notices”onpage75.ThirdEdition(February2012)©CopyrightLenov

Table8.OptionssupportedbytheLenovoFingerprintSoftwareParameterDescriptionSWAUTOSTART•0=willnotstartngerprintsoftwareonWindowsstartup.•1=willstartnge

Table8.OptionssupportedbytheLenovoFingerprintSoftware(continued)ParameterDescriptionSWANTIHAMMERRETRIESSpeciesthemaximumretries.Thedefaultvalueis5.No

16ClientSecuritySolution8.21DeploymentGuide

Chapter3.WorkingwithClientSecuritySolutionBeforeyouinstallClientSecuritySolution,youshouldunderstandthecustomizationavailableforClientSecuritySolution

enrolledasanactiveuser.EveryotheruserthatlogsintothesystemwillbeautomaticallyrequestedtoenrollintoClientSecuritySolution.•TakeOwnershipAsingleWindowsa

ThefollowingdiagramprovidesthestructurefortheSystemLevelKey:System Level Key Structure - Take OwnershipTrusted Platform ModuleEncrypted via derived AE

Thefollowingdiagramprovidesthestructurefortheuserlevelkey:User Level Key Structure - Enroll UserTrusted Platform ModuleEncrypted via derived AES KeySt

TheTPMemulationmodecannotbeusedasasecuresubstitutefortheTPM.TheTPMprovidesthefollowingtwokeyprotectionmethodsthataremoresecurethantheTPMemulationmode.

Thefollowingdiagramprovidesthestructureforthemotherboardswap-takeownership:Motherboard Swap - Take OwnershipTrusted Platform ModuleDecrypted via deriv

EFSprotectionutilityClientSecuritySolutionprovidesacommandlineutilitythatenablesTPM-basedprotectionofencryptioncerticatesusedbytheEncryptingFileSyste

ContentsPreface...iiiChapter1.Overview...1ClientSecuritySolution...1ClientSecuritySolutionpassphrase...2ClientSecurity

UsingtheXMLSchemaThepurposeoftheXMLscriptingistoenableITadministratorstocreatecustomscriptsthatcanbeusedtodeployandcongureClientSecuritySolution.Thes

<SYSTEM_PAP>password</SYSTEM_PAP></FUNCTION></CSSFile>Note:Thiscommandisnotsupportedintheemulationmode.ENABLE_PWMGR_FUNCTIONTh

ThefollowingcommandenablesthelogonwiththefastuserswitchingsupportanddisablestheClientSecuritySolutionWindowslogon.Thefastuserswitchingmightnotbeenable

ENABLE_NONE_GINA_FUNCTIONIfoneofGINArelatedTVTcomponentssuchasThinkVantageFingerprintSoftware,ClientSecuritySolution,orAccessConnectionlogonisenabled,

Note:Thiscommandisnotsupportedintheemulationmode.INITIALIZE_SYSTEM_FUNCTIONThiscommandinitializestheClientSecuritySolutionsystemfunction.Thesystem-wid

Note:Thiscommandisnotsupportedintheemulationmode.ENROLL_USER_FUNCTIONThiscommandenrollsaparticularusertouseClientSecuritySolution.Thisfunctioncreatesa

<DOMAIN_NAME_PARAMETER>IBM-2AA92582C79<DOMAIN_NAME_PARAMETER><USER_PW_REC_ANSWER_DATA_PARAMETER>Test1</USER_PW_REC_ANSWER_DATA_PA

UsingRSASecurIDtokensLeveringtheencryptionalgorithmmethodofencryptingdata,usingRSASecurIDtokensinadditiontoClientSecuritySolutionwillprovideyourenterp

ToleveragethePKCS#11moduleofClientSecuritySolution,thefollowingpoliciesmustbesetforActiveDirectory:1.PKCS#11Signature2.PKCS#11DecryptionThefollowingta

•“SecurityAdvisor”onpage33•“ClientSecuritySolutionsetupwizard”onpage34•“Deploymentleencryptordecrypttool”onpage34•“Deploymentleprocessingtool”onpage

DeploymentexamplesforinstallingClientSecuritySolution...55Scenario1...55Scenario2...57SwitchingClientSecuritySolut

Table11.Parameters(continued)ParametersDescriptionFileSharingSetsthevalueforthelesharing.1willshowthissection,0willhide.Ifnotpresentthenitisshownbyde

Table13.ParametersforencryptingordecryptingClientSecurityXMLdeploymentlesParametersResults/hor/?DisplaysthehelpmessageFILENAMEDisplayspathnameandlen

Table16.css_cert_transfer_tool.exe<cert_store_type><lter_type>:<name|size>|all_access|usageParameterDescription<cert_store_type&

Table17.ParametersforactivatingordeactivatingtheTPMontheLenovosystem(continued)ParameterDescription/deactivateDeactivatestheTPM.Note:Ifyouruntpm_activ

•DefaultuserpreferencesAsdescribedpreviously,computeranduserpoliciesaredenedbytheadministrator.ThesesettingscanbeinitializedthroughtheXMLconguration

Table19.ComputerConguration➙Administrativetemplates➙ThinkVantage➙ClientSecuritySolution➙Authenticationpolicies➙SecuremodePolicyEnabledsettingsDescrip

Table21.ComputerConguration➙Administrativetemplates➙ThinkVantage➙ClientSecuritySolution➙AuthenticationpoliciesPolicyEnabledsettingsDescriptionPasswor

Table23.ComputerConguration➙ThinkVantage➙ClientSecuritySolution➙UserinterfacePolicysettingDescriptionFingerprintsoftwareoptionShow,grayorhidetheFinge

Table24.ComputerConguration➙ThinkVantage➙ClientSecuritySolution➙Workstationsecuritytool(continued)PolicySettingDescriptionWindowsUsersPasswordsPasswo

ActiveUpdateParameterFileTheActiveUpdateparameterlecontainsthesettingstobepassedtoActiveUpdate.TheTargetAppparameterispassedasshowninthisexample:<

PrefaceThisguideisintendedforITadministrators,orthoseresponsiblefordeployingThinkVantage®ClientSecuritySolutionandThinkVantageFingerprintSoftwaretocom

44ClientSecuritySolution8.21DeploymentGuide

Chapter4.WorkingwithThinkVantageFingerprintSoftwareThengerprintconsolemustberunfromtheFingerprintSoftwareinstallationfolder.ThebasicsyntaxisFPRCONSOL

Table25.User-speciccommands(continued)CommandSyntaxDescriptionExportenrolledusertoaleSyntax:EXPORTusername[|domain\username]leThiscommandwillexport

SecuremodeandconvenientmodeFingerprintSoftwarecanberunintwosecuritymodes,asecuremodeandaconvenientmode.Thesecuremodeisintendedforsituationswhenyouwant

Table28.Optionsforlimitedusersinthesecuremode(continued)SettingDescriptionDeletePassportLimitedusercandeleteonlytheirownpassport.Power-onSecurityLimit

Table30.Optionsforlimitedusersintheconvenientmode(continued)SettingsDescriptionSecuritymodeLimiteduserscannotmodifysecuritymodes.ProServersLimiteduser

Thengerprintsoftwarewillcontinuetovalidatethepasswordatsystemlogon.Note:Whentheaboveregistrykeyissetto1,ifthedomainadministratorchangestheuser's

9.Reboot.Note:YourauthenticationIDandpasswordforWindowsandNovellmustbeidentical.ThinkVantageFingerprintSoftwareserviceTheupeksvr.exeserviceisaddedtoth

52ClientSecuritySolution8.21DeploymentGuide

Chapter5.WorkingwithLenovoFingerprintSoftwareThengerprintconsolemustberunfromtheLenovoFingerprintSoftwareinstallationfolder.ThebasicsyntaxisFPRCONSOL

ivClientSecuritySolution8.21DeploymentGuide

Table31.Policysettings(continued)SettingDescriptionAlwaysshowpower-onsecurityoptionsIfyouenablethissetting,userswillbeabletoselectusingtheFingerprintR

Chapter6.BestPracticesThischapterpresentsscenariostoillustratethebestpracticesofClientSecuritySolutionandFingerprintSoftware.Thisscenariostartswiththe

•TypetheClientSecuritypassphrase(forexample,CSPP4Admin)fortheadministratoraccount,checktheUsetheClientSecuritypassphrasetoprotectaccesstotheRescueandR

*******************************************************Readytotakesysprepbackup.********PLEASERUNSYSPREPNOWANDSHUTDOWN.********Nexttimethemachineboots

4.InstallThinkVantageFingerprinttutorialbyrunningthef001zpz7001us00.exetoextractthetutess.exelefromtheWebpackage.Thiswillautomaticallyextractthesetup

5.Afterrebootingthesystem,congurethesystemwiththeXMLscriptlethroughthefollowingprocedure:•CopytheThinkPad.xml.enclepreparedearlytotheC:\directory.•

2.Overinstallallthreedifferentversionsofoldersoftware(RescueandRecovery1.0/2.0/3.0,Fingerprint,ClientSecuritySolution5.4–6,FFE).Settingsshouldbekeptwh

1.OpenCerticationAuthority.2.Intheconsoletree,clickCerticateT emplates.3.FromtheActionmenu,clickNew➙CerticatetoIssue.4.ClickTPMandclickOK.Applyingc

4.UsetheThinkVantagengerprintsoftwaretoenrollyourngerprintswiththeexternalngerprintsensor.Ifitdoesnotautomaticallystart,clickStart➙Programs➙ThinkVa

11.ClickStart➙Programs➙ThinkVantage➙ThinkVantageFingerprintSoftwaretostarttheenrollment.12.ClickFingerprints➙EnrollorEditFingerprints,andthenclickNext

Chapter1.OverviewThischapterprovidesanoverviewofClientSecuritySolutionandFingerprintSoftware.Thetechnologiespresentedinthisdeploymentguidecandirectlya

ClientSecuritySolutionandPasswordManagerDifferentfromWindowslogon,authenticationrequestsfromClientSecuritySolutionandPasswordManageronlyworkontheprefe

Note:IfthesettingPower-onSecurityisnotavailable,createaregistryentryasfollowstodisplaythissetting:[HKEY_LOCAL_MACHINE\SOFTWARE\ProtectorSuiteQL\1.0]RE

66ClientSecuritySolution8.21DeploymentGuide

AppendixA.ConsiderationswhenusingOmniPassOmniPassfromSoftex©isaprogramthatcanbeusedtosecurelylogintoWebsitesandapplications,aswellasprotectdataonacomp

Table33.Omnipassfeatureoverlap(continued)FunctionFeatureoverlapConsiderationsUserauthenticationBothClientSecuritySolutionandOmniPassmaypromptforuserau

AppendixB.SpecialconsiderationsforusingtheLenovoFingerprintKeyboardwithsomeThinkPadnotebookmodelsThengerprintdeviceusedinsomeThinkPadnotebookmodelsis

WindowsXP-WelcomeScreenTosupportloggingonwitheithertheLenovoFingerprintKeyboardorthebuilt-inThinkPadngerprintsensorwiththeWindowsXPWelcomeScreen,thel

2.TheWindowsVistalogonscreenmayonlyshowone“tile,orbutton,forngerprintlogon,althougheitherngerprintsensorcanbeusedtologon.Alternatively,tosupportlogo

72ClientSecuritySolution8.21DeploymentGuide

AppendixC.SynchronizingpasswordinCSSaftertheWindowspasswordisresetAftertheWindowspasswordisreset,ClientSecuritySolutioncontinuallypromptsyouforanewWin

ClientSecuritySolutionpassphraseTheClientSecuritySolutionpassphraseisanoptionalfeatureofuserauthenticationthatwillprovideenhancedsecuritytoClientSecur

74ClientSecuritySolution8.21DeploymentGuide

AppendixD.NoticesLenovomaynotoffertheproducts,services,orfeaturesdiscussedinthisdocumentinallcountries.ConsultyourlocalLenovorepresentativeforinformat

TrademarksThefollowingtermsaretrademarksofLenovointheUnitedStates,othercountries,orboth:LenovoRescueandRecoveryThinkCentreThinkPadThinkVantageMicrosof

GlossaryAdministrator(ThinkCentre)/Supervisor(ThinkPad)BIOSPasswordTheadministratororsupervisorpasswordisusedtocontroltheabilitytochangeBIOSsettings.T

Symmetric-keyencryptionSymmetrickeyencryptionciphersusethesamekeyforencryptionanddecryptionofdata.Symmetrickeyciphersaresimplerandfaster,buttheirmaind

•AutolluserIDsandpasswords:Automatesyourloginprocesswhenyouaccessanapplicationorwebsite.IfyourlogoninformationhasbeenenteredintoClientSecurityPasswor