ClientSecuritySolution8.3DeploymentGuideUpdated:December,2011
consistentandsecureenvironment.Thesystemsthathavetheembeddedsecuritychiparemorerobustagainstanattack;however,forthesystemswithouttheembeddedsecuritych
Chapter2.InstallationThischaptercontainsinstructionsforinstallingClientSecuritySolution,andFingerprintSoftware.BeforeinstallingClientSecuritySolutiono
Table1.PublicpropertiesPropertyDescriptionEMULATIONMODESpecifytoforcetheinstallationinEmulationmodeevenifaTPMexists.SetEMULATIONMODE=1onthecommandline
SoftwareemulationoftheTrustedPlatformModuleClientSecuritySolutionhastheoptiontorunwithoutaTrustedPlatformModuleonqualiedsystems.Thefunctionalitywillb
ThefollowingparametersanddescriptionsaredocumentedintheInstallShielddeveloperhelpdocumentation.ParametersthatdonotapplytoBasicMSIprojectswereremoved.T
Table3.CommandlineparametersParameterDescription/IpackageorproductcodeUsethisformattoinstalltheproduct:Othello:msiexec/i"C:\WindowsFolder\Proles
Table3.Commandlineparameters(continued)ParameterDescriptionYoucanseparatemultipletransformswithasemicolon.Donotusesemicolonsinthenameofyourtransform,a
Table4.WindowsInstallerproperties(continued)PropertyDescriptionARPSYSTEMCOMPONENTPreventsdisplayofapplicationintheAddorRemoveProgramslist.ARPURLINFOAB
InstallingThinkVantageFingerprintSoftwareThesetup.exeleoftheThinkVantageFingerprintSoftwareprogramcanbeinstalledthroughthefollowingmethods:Silentinst
Table7.OptionssupportedbytheThinkVantageFingerprintSoftware(continued)ParameterDescriptionPASSPORTSetthedefaultpassporttype.•1=Localpassport•2=Serverp
Note:Beforeusingthisinformationandtheproductitsupports,readthegeneralinformationinAppendixE“Notices”onpage75.FourthEdition(December2011)©CopyrightLeno
Table7.OptionssupportedbytheThinkVantageFingerprintSoftware(continued)ParameterDescriptionLOCKOUT•1=Enabletheanti-hammeringprotection.•0=Disabletheant
SilentinstallationTosilentlyinstalltheFingerprintSoftware,runthesetup32.exelelocatedintheinstallationdirectoryonyourCD-ROMdrive.Usethefollowingsyntax
Table8.OptionssupportedbytheLenovoFingerprintSoftware(continued)ParameterDescriptionSWALLOWIMEXPORT•0=Disablethengerprintimport/exportfornon-administ
SystemsManagementServerSystemsmanagementserver(SMS)installationsarealsosupported.OpentheSMSadministratorconsole.Createanewpackageandsetpackageproperti
18ClientSecuritySolution8.3DeploymentGuide
Chapter3.WorkingwithClientSecuritySolutionBeforeyouinstallClientSecuritySolution,youshouldunderstandthecustomizationavailableforClientSecuritySolution
enrolledasanactiveuser.EveryotheruserthatlogsintothesystemwillbeautomaticallyrequestedtoenrollintoClientSecuritySolution.•TakeOwnershipAsingleWindowsa
ThefollowingdiagramprovidesthestructurefortheSystemLevelKey:System Level Key Structure - Take OwnershipTrusted Platform ModuleEncrypted via derived AE
Thefollowingdiagramprovidesthestructurefortheuserlevelkey:User Level Key Structure - Enroll UserTrusted Platform ModuleEncrypted via derived AES KeySt
TheTPMemulationmodecannotbeusedasasecuresubstitutefortheTPM.TheTPMprovidesthefollowingtwokeyprotectionmethodsthataremoresecurethantheTPMemulationmode.
ContentsPreface...iiiChapter1.Overview...1ClientSecuritySolution...1ClientSecuritySolutionpassphrase...2ClientSecurity
Thefollowingdiagramprovidesthestructureforthemotherboardswap-takeownership:Motherboard Swap - Take OwnershipTrusted Platform ModuleDecrypted via deriv
EFSprotectionutilityClientSecuritySolutionprovidesacommandlineutilitythatenablesTPM-basedprotectionofencryptioncerticatesusedbytheEncryptingFileSyste
Whenruninsilentmode,theoutputoftheprogramwillbeanerrorlevelcorrespondingtotheerrorsnumbersshownabove.UsingtheXMLSchemaThepurposeoftheXMLscriptingistoe
<ORDER>0001</ORDER><COMMAND>DISABLE_TPM_FUNCTION</COMMAND><VERSION>1.0</VERSION><SYSTEM_PAP>password</SYS
2.Thiscommandisnotsupportedintheemulationmode.ThefollowingcommandenablesthelogonwithfastuserswitchingsupportanddisablestheClientSecuritySolutionWindow
ENABLE_NONE_GINA_FUNCTIONIftheGINAorCP(CredentialProvider)ofoneoftherelatedThinkVantageTechnologiescomponents,suchasThinkVantageFingerprintSoftware,Cl
Note:Thiscommandisnotsupportedintheemulationmode.INITIALIZE_SYSTEM_FUNCTIONThiscommandinitializestheClientSecuritySolutionsystemfunction.Thesystem-wid
Note:Thiscommandisnotsupportedintheemulationmode.ENROLL_USER_FUNCTIONThiscommandenrollsaparticularusertouseClientSecuritySolution.Thisfunctioncreatesa
<DOMAIN_NAME_PARAMETER>IBM-2AA92582C79<DOMAIN_NAME_PARAMETER><USER_PW_REC_ANSWER_DATA_PARAMETER>Test1</USER_PW_REC_ANSWER_DATA_PA
1.GotothefollowingWebsite:http://www.rsasecurity.com/node.asp?id=11562.Completetheregistrationprocess.3.DownloadandinstalltheRSASecurIDSoftware.Requir
Scenario2...59SwitchingClientSecuritySolutionmodes...61CorporateActiveDirectoryrollout...61StandaloneInstallforCDorscriptles...62Sy
Table10.ThinkVantage\ClientSecuritySolution\AuthenticationPolicies\PKCS#11Signature\CustomModeFieldsCSS.ADMModiableeldRequiredFieldDescriptionContro
•“CerticateTransfertool”onpage37•“ActivatingordeactivatingtheTPM”onpage38SecurityAdvisorTousetheSecurityAdvisorfunction,launchtheClientSecuritySoluti
Table11.Parameters(continued)ParametersDescriptionEmbeddedSecurityChipSetsvaluethatsecuritychipshouldbeenabled,orsettingwillbeagged.ClientSecuritySol
Table13.ParametersforencryptingordecryptingClientSecurityXMLdeploymentles(continued)ParametersResults/encryptor/decryptSelects/encryptforXMLlesand/d
Table16.css_cert_transfer_tool.exe<cert_store_type><lter_type>:<name|size>|all_access|usageParameterDescription<cert_store_type&
Fordesktopcomputers,dothefollowingtoactivatetheTPM:1.GototheWebsiteathttp://support.lenovo.com/en_US/detail.page?LegacyDocID=MIGR-75407.2.ClickVisualB
•Disabled•Activated•Deactivated•Owned•Notowned/setstate:<state>setstheTPMstatustypeyouprefer.0representsdisabledanddeactivated.1representsenable
ThefollowingexamplesaresettingsthatActiveDirectorycanmanageforClientSecuritySolution:•Securitypolicies.•Customsecuritypolicies;suchaswhethertouseaWind
HKLM\Software\Lenovo\ClientSecuritySolution\Userpreferences:HKCU\Software\Lenovo\ClientSecuritySolution\Defaultuserpreferences:HKLM\Software\Lenovo\Cl
Table20.ComputerConguration➙Administrativetemplates➙ThinkVantage➙ClientSecuritySolution➙Authenticationpolicies➙Defaultmode(continued)PolicyEnabledset
PrefaceInformationpresentedinthisguideistosupportLenovo®computersinstalledwiththeThinkVantage®ClientSecuritySolutionprogramandtheFingerprintSoftwarepr
Table22.ComputerConguration➙ThinkVantage➙ClientSecuritySolution➙Passwordmanager(continued)PolicysettingDescriptionDisableAuto-llControlswhetherPassw
Table23.ComputerConguration➙ThinkVantage➙ClientSecuritySolution➙Userinterface(continued)PolicysettingDescriptionEnable/disableWindowspasswordrecovery
Table24.ComputerConguration➙ThinkVantage➙ClientSecuritySolution➙Workstationsecuritytool(continued)PolicySettingDescriptionClientSecurityEmbeddedSecur
Chapter4.WorkingwithThinkVantageFingerprintSoftwareThengerprintconsolemustberunfromtheThinkVantageFingerprintSoftwareinstallationfolder.Thebasicsynta
Table25.User-speciccommands(continued)CommandSyntaxDescriptionEnumerateenrolledusersListListstheenrolledusers.ExportenrolledusertoaleSyntax:EXPORTus
SecuremodeandconvenientmodeFingerprintSoftwarecanberunintwosecuritymodes,asecuremodeandaconvenientmode.Thesecuremodeisintendedforsituationswhenyouwant
Table28.Optionsforlimitedusersinthesecuremode(continued)SettingDescriptionDeletePassportLimitedusercandeleteonlytheirownpassport.Power-onSecurityLimit
Table30.Optionsforlimitedusersintheconvenientmode(continued)SettingsDescriptionSecuritymodeLimiteduserscannotmodifysecuritymodes.ProServersLimiteduser
Thengerprintsoftwarewillcontinuetovalidatethepasswordatsystemlogon.Note:Whentheaboveregistrykeyissetto1,ifthedomainadministratorchangestheuser's
8.LogontoWindows.9.Reboot.Note:YourauthenticationIDandpasswordforWindowsandNovellmustbeidentical.ThinkVantageFingerprintSoftwareserviceTheupeksvr.exes
ivClientSecuritySolution8.3DeploymentGuide
54ClientSecuritySolution8.3DeploymentGuide
Chapter5.WorkingwithLenovoFingerprintSoftwareThengerprintconsolemustberunfromtheLenovoFingerprintSoftwareinstallationfolder.ThebasicsyntaxisFPRCONSOL
Table31.Policysettings(continued)SettingDescriptionadministratorswillonlybeabletologinusingngerprints.Allowusertoretrievepasswordthroughngerprintaut
Chapter6.BestPracticesThischapterpresentsscenariostoillustratethebestpracticesofClientSecuritySolutionandFingerprintSoftware.Thisscenariostartswiththe
3)TypetheClientSecuritypassphrase(forexample,CSPP4Admin)fortheadministratoraccount,selecttheUsetheClientSecuritypassphrasetoprotectaccesstotheRescuean
*******************************************************Readytotakesysprepbackup.********PLEASERUNSYSPREPNOWANDSHUTDOWN.********Nexttimethemachineboots
b.Double-clicktheextractedsetup.exeleandfollowtheinstructionsonthescreentoinstalltheThinkVantageFingerprintSoftware.4.InstalltheThinkVantageFingerpri
3.InstalltheThinkVantageFingerprintconsoleonthedeploymentmachinebydoingthefollowing:a.Deploythefprconsole.exelethathasbeenextractedfromthepreparation
c.ThroughActiveDirectory,enableAntidoteDeliveryManager.Placepackagestoberunandmakesurereportingiscaptured.StandaloneInstallforCDorscriptlesForastanda
3.FromtheFilemenu,clickAdd/RemoveSnap-in,andthenclickAdd.TheAddStandalonesnap-inwindowdisplays.4.Double-clickCerticationAuthorityinthesnap-inlist,and
Chapter1.OverviewThischapterprovidesanoverviewofClientSecuritySolutionandFingerprintSoftware.Thetechnologiespresentedinthisdeploymentguidecandirectlya
ThissectiondescribesthecommonusagescenariosanddeploymentstrategiesforngerprintsoftwarethatisinstalledonthelatestThinkPadnotebookcomputermodels.Note:•
Table32.RegistrykeysNameValueDescription0(default)Speciesthattheexternalngerprintsensorispreferredwheneverthengerprintkeyboardisconnected.PreferInt
66ClientSecuritySolution8.3DeploymentGuide
AppendixA.SpecialconsiderationsforusingtheLenovoFingerprintKeyboardwithsomeThinkPadnotebookmodelsThengerprintdeviceusedinsomeThinkPadnotebookmodelsis
•UsingtheFingerprintSoftwarelogoninterfaceThelogoninterfacesofbothLenovoFingerprintSoftwareandThinkVantageFingerprintSoftwaremustbeenabled.Whenbothng
AppendixB.SynchronizingpasswordinClientSecuritySolutionaftertheWindowspasswordisresetAftertheWindowspasswordisreset,ClientSecuritySolutioncontinuallyp
70ClientSecuritySolution8.3DeploymentGuide
AppendixC.UsingClientSecuritySolutiononareinstalledWindowsoperatingsystemIfyourWindowsoperatingsysteminstalledwithClientSecuritySolutionhasbeenreinsta
72ClientSecuritySolution8.3DeploymentGuide
AppendixD.UsingtheTPMonThinkPadnotebookcomputersThemainusecasefortheTPMistheBitLockerfeaturethatisincludedwithcertainversionsoftheMicrosoftWindowsVist
ClientSecuritySolutionpassphraseTheClientSecuritySolutionpassphraseisanoptionalfeatureofuserauthenticationthatwillprovideenhancedsecuritytoClientSecur
•Atmel-ThinkPadT60/R60/X60/X300,ThinkCentreM57•Intel-ThinkPadT500/R500/X200/X301•STMicro-ThinkPadT410/T510/X201/T420/T520/X220,ThinkCentreM90•Winbond-
AppendixE.NoticesLenovomaynotoffertheproducts,services,orfeaturesdiscussedinthisdocumentinallcountries.ConsultyourlocalLenovorepresentativeforinformat
TrademarksThefollowingtermsaretrademarksofLenovointheUnitedStates,othercountries,orboth:LenovoThinkCentreThinkPadThinkVantageMicrosoft,InternetExplore
GlossaryAdministrator(ThinkCentre)/Supervisor(ThinkPad)BIOSPasswordTheadministratororsupervisorpasswordisusedtocontroltheabilitytochangeBIOSsettings.T
Symmetric-keyencryptionSymmetrickeyencryptionciphersusethesamekeyforencryptionanddecryptionofdata.Symmetrickeyciphersaresimplerandfaster,buttheirmaind
PartNumber:PrintedinUSA(1P)P/N:**
entryrelatedchangescanbedetectedautomaticallybyClientSecurityPasswordManagerandallowstheusertoupdatetheirentrieswithevenlesswork.•Saveyourinformationw
Comments to this Manuals