Lenovo ThinkVantage Client Security Solution 8.3 User Manual

ClientSecuritySolution8.3DeploymentGuideUpdated:December,2011

consistentandsecureenvironment.Thesystemsthathavetheembeddedsecuritychiparemorerobustagainstanattack;however,forthesystemswithouttheembeddedsecuritych

Chapter2.InstallationThischaptercontainsinstructionsforinstallingClientSecuritySolution,andFingerprintSoftware.BeforeinstallingClientSecuritySolutiono

Table1.PublicpropertiesPropertyDescriptionEMULATIONMODESpecifytoforcetheinstallationinEmulationmodeevenifaTPMexists.SetEMULATIONMODE=1onthecommandline

SoftwareemulationoftheTrustedPlatformModuleClientSecuritySolutionhastheoptiontorunwithoutaTrustedPlatformModuleonqualiedsystems.Thefunctionalitywillb

ThefollowingparametersanddescriptionsaredocumentedintheInstallShielddeveloperhelpdocumentation.ParametersthatdonotapplytoBasicMSIprojectswereremoved.T

Table3.CommandlineparametersParameterDescription/IpackageorproductcodeUsethisformattoinstalltheproduct:Othello:msiexec/i"C:\WindowsFolder\Proles

Table3.Commandlineparameters(continued)ParameterDescriptionYoucanseparatemultipletransformswithasemicolon.Donotusesemicolonsinthenameofyourtransform,a

Table4.WindowsInstallerproperties(continued)PropertyDescriptionARPSYSTEMCOMPONENTPreventsdisplayofapplicationintheAddorRemoveProgramslist.ARPURLINFOAB

InstallingThinkVantageFingerprintSoftwareThesetup.exeleoftheThinkVantageFingerprintSoftwareprogramcanbeinstalledthroughthefollowingmethods:Silentinst

Table7.OptionssupportedbytheThinkVantageFingerprintSoftware(continued)ParameterDescriptionPASSPORTSetthedefaultpassporttype.•1=Localpassport•2=Serverp

Note:Beforeusingthisinformationandtheproductitsupports,readthegeneralinformationinAppendixE“Notices”onpage75.FourthEdition(December2011)©CopyrightLeno

Table7.OptionssupportedbytheThinkVantageFingerprintSoftware(continued)ParameterDescriptionLOCKOUT•1=Enabletheanti-hammeringprotection.•0=Disabletheant

SilentinstallationTosilentlyinstalltheFingerprintSoftware,runthesetup32.exelelocatedintheinstallationdirectoryonyourCD-ROMdrive.Usethefollowingsyntax

Table8.OptionssupportedbytheLenovoFingerprintSoftware(continued)ParameterDescriptionSWALLOWIMEXPORT•0=Disablethengerprintimport/exportfornon-administ

SystemsManagementServerSystemsmanagementserver(SMS)installationsarealsosupported.OpentheSMSadministratorconsole.Createanewpackageandsetpackageproperti

18ClientSecuritySolution8.3DeploymentGuide

Chapter3.WorkingwithClientSecuritySolutionBeforeyouinstallClientSecuritySolution,youshouldunderstandthecustomizationavailableforClientSecuritySolution

enrolledasanactiveuser.EveryotheruserthatlogsintothesystemwillbeautomaticallyrequestedtoenrollintoClientSecuritySolution.•TakeOwnershipAsingleWindowsa

ThefollowingdiagramprovidesthestructurefortheSystemLevelKey:System Level Key Structure - Take OwnershipTrusted Platform ModuleEncrypted via derived AE

Thefollowingdiagramprovidesthestructurefortheuserlevelkey:User Level Key Structure - Enroll UserTrusted Platform ModuleEncrypted via derived AES KeySt

TheTPMemulationmodecannotbeusedasasecuresubstitutefortheTPM.TheTPMprovidesthefollowingtwokeyprotectionmethodsthataremoresecurethantheTPMemulationmode.

ContentsPreface...iiiChapter1.Overview...1ClientSecuritySolution...1ClientSecuritySolutionpassphrase...2ClientSecurity

Thefollowingdiagramprovidesthestructureforthemotherboardswap-takeownership:Motherboard Swap - Take OwnershipTrusted Platform ModuleDecrypted via deriv

EFSprotectionutilityClientSecuritySolutionprovidesacommandlineutilitythatenablesTPM-basedprotectionofencryptioncerticatesusedbytheEncryptingFileSyste

Whenruninsilentmode,theoutputoftheprogramwillbeanerrorlevelcorrespondingtotheerrorsnumbersshownabove.UsingtheXMLSchemaThepurposeoftheXMLscriptingistoe

<ORDER>0001</ORDER><COMMAND>DISABLE_TPM_FUNCTION</COMMAND><VERSION>1.0</VERSION><SYSTEM_PAP>password</SYS

2.Thiscommandisnotsupportedintheemulationmode.ThefollowingcommandenablesthelogonwithfastuserswitchingsupportanddisablestheClientSecuritySolutionWindow

ENABLE_NONE_GINA_FUNCTIONIftheGINAorCP(CredentialProvider)ofoneoftherelatedThinkVantageTechnologiescomponents,suchasThinkVantageFingerprintSoftware,Cl

Note:Thiscommandisnotsupportedintheemulationmode.INITIALIZE_SYSTEM_FUNCTIONThiscommandinitializestheClientSecuritySolutionsystemfunction.Thesystem-wid

Note:Thiscommandisnotsupportedintheemulationmode.ENROLL_USER_FUNCTIONThiscommandenrollsaparticularusertouseClientSecuritySolution.Thisfunctioncreatesa

<DOMAIN_NAME_PARAMETER>IBM-2AA92582C79<DOMAIN_NAME_PARAMETER><USER_PW_REC_ANSWER_DATA_PARAMETER>Test1</USER_PW_REC_ANSWER_DATA_PA

1.GotothefollowingWebsite:http://www.rsasecurity.com/node.asp?id=11562.Completetheregistrationprocess.3.DownloadandinstalltheRSASecurIDSoftware.Requir

Scenario2...59SwitchingClientSecuritySolutionmodes...61CorporateActiveDirectoryrollout...61StandaloneInstallforCDorscriptles...62Sy

Table10.ThinkVantage\ClientSecuritySolution\AuthenticationPolicies\PKCS#11Signature\CustomModeFieldsCSS.ADMModiableeldRequiredFieldDescriptionContro

•“CerticateTransfertool”onpage37•“ActivatingordeactivatingtheTPM”onpage38SecurityAdvisorTousetheSecurityAdvisorfunction,launchtheClientSecuritySoluti

Table11.Parameters(continued)ParametersDescriptionEmbeddedSecurityChipSetsvaluethatsecuritychipshouldbeenabled,orsettingwillbeagged.ClientSecuritySol

Table13.ParametersforencryptingordecryptingClientSecurityXMLdeploymentles(continued)ParametersResults/encryptor/decryptSelects/encryptforXMLlesand/d

Table16.css_cert_transfer_tool.exe<cert_store_type><lter_type>:<name|size>|all_access|usageParameterDescription<cert_store_type&

Fordesktopcomputers,dothefollowingtoactivatetheTPM:1.GototheWebsiteathttp://support.lenovo.com/en_US/detail.page?LegacyDocID=MIGR-75407.2.ClickVisualB

•Disabled•Activated•Deactivated•Owned•Notowned/setstate:<state>setstheTPMstatustypeyouprefer.0representsdisabledanddeactivated.1representsenable

ThefollowingexamplesaresettingsthatActiveDirectorycanmanageforClientSecuritySolution:•Securitypolicies.•Customsecuritypolicies;suchaswhethertouseaWind

HKLM\Software\Lenovo\ClientSecuritySolution\Userpreferences:HKCU\Software\Lenovo\ClientSecuritySolution\Defaultuserpreferences:HKLM\Software\Lenovo\Cl

Table20.ComputerConguration➙Administrativetemplates➙ThinkVantage➙ClientSecuritySolution➙Authenticationpolicies➙Defaultmode(continued)PolicyEnabledset

PrefaceInformationpresentedinthisguideistosupportLenovo®computersinstalledwiththeThinkVantage®ClientSecuritySolutionprogramandtheFingerprintSoftwarepr

Table22.ComputerConguration➙ThinkVantage➙ClientSecuritySolution➙Passwordmanager(continued)PolicysettingDescriptionDisableAuto-llControlswhetherPassw

Table23.ComputerConguration➙ThinkVantage➙ClientSecuritySolution➙Userinterface(continued)PolicysettingDescriptionEnable/disableWindowspasswordrecovery

Table24.ComputerConguration➙ThinkVantage➙ClientSecuritySolution➙Workstationsecuritytool(continued)PolicySettingDescriptionClientSecurityEmbeddedSecur

Chapter4.WorkingwithThinkVantageFingerprintSoftwareThengerprintconsolemustberunfromtheThinkVantageFingerprintSoftwareinstallationfolder.Thebasicsynta

Table25.User-speciccommands(continued)CommandSyntaxDescriptionEnumerateenrolledusersListListstheenrolledusers.ExportenrolledusertoaleSyntax:EXPORTus

SecuremodeandconvenientmodeFingerprintSoftwarecanberunintwosecuritymodes,asecuremodeandaconvenientmode.Thesecuremodeisintendedforsituationswhenyouwant

Table28.Optionsforlimitedusersinthesecuremode(continued)SettingDescriptionDeletePassportLimitedusercandeleteonlytheirownpassport.Power-onSecurityLimit

Table30.Optionsforlimitedusersintheconvenientmode(continued)SettingsDescriptionSecuritymodeLimiteduserscannotmodifysecuritymodes.ProServersLimiteduser

Thengerprintsoftwarewillcontinuetovalidatethepasswordatsystemlogon.Note:Whentheaboveregistrykeyissetto1,ifthedomainadministratorchangestheuser's

8.LogontoWindows.9.Reboot.Note:YourauthenticationIDandpasswordforWindowsandNovellmustbeidentical.ThinkVantageFingerprintSoftwareserviceTheupeksvr.exes

ivClientSecuritySolution8.3DeploymentGuide

54ClientSecuritySolution8.3DeploymentGuide

Chapter5.WorkingwithLenovoFingerprintSoftwareThengerprintconsolemustberunfromtheLenovoFingerprintSoftwareinstallationfolder.ThebasicsyntaxisFPRCONSOL

Table31.Policysettings(continued)SettingDescriptionadministratorswillonlybeabletologinusingngerprints.Allowusertoretrievepasswordthroughngerprintaut

Chapter6.BestPracticesThischapterpresentsscenariostoillustratethebestpracticesofClientSecuritySolutionandFingerprintSoftware.Thisscenariostartswiththe

3)TypetheClientSecuritypassphrase(forexample,CSPP4Admin)fortheadministratoraccount,selecttheUsetheClientSecuritypassphrasetoprotectaccesstotheRescuean

*******************************************************Readytotakesysprepbackup.********PLEASERUNSYSPREPNOWANDSHUTDOWN.********Nexttimethemachineboots

b.Double-clicktheextractedsetup.exeleandfollowtheinstructionsonthescreentoinstalltheThinkVantageFingerprintSoftware.4.InstalltheThinkVantageFingerpri

3.InstalltheThinkVantageFingerprintconsoleonthedeploymentmachinebydoingthefollowing:a.Deploythefprconsole.exelethathasbeenextractedfromthepreparation

c.ThroughActiveDirectory,enableAntidoteDeliveryManager.Placepackagestoberunandmakesurereportingiscaptured.StandaloneInstallforCDorscriptlesForastanda

3.FromtheFilemenu,clickAdd/RemoveSnap-in,andthenclickAdd.TheAddStandalonesnap-inwindowdisplays.4.Double-clickCerticationAuthorityinthesnap-inlist,and

Chapter1.OverviewThischapterprovidesanoverviewofClientSecuritySolutionandFingerprintSoftware.Thetechnologiespresentedinthisdeploymentguidecandirectlya

ThissectiondescribesthecommonusagescenariosanddeploymentstrategiesforngerprintsoftwarethatisinstalledonthelatestThinkPadnotebookcomputermodels.Note:•

Table32.RegistrykeysNameValueDescription0(default)Speciesthattheexternalngerprintsensorispreferredwheneverthengerprintkeyboardisconnected.PreferInt

66ClientSecuritySolution8.3DeploymentGuide

AppendixA.SpecialconsiderationsforusingtheLenovoFingerprintKeyboardwithsomeThinkPadnotebookmodelsThengerprintdeviceusedinsomeThinkPadnotebookmodelsis

•UsingtheFingerprintSoftwarelogoninterfaceThelogoninterfacesofbothLenovoFingerprintSoftwareandThinkVantageFingerprintSoftwaremustbeenabled.Whenbothng

AppendixB.SynchronizingpasswordinClientSecuritySolutionaftertheWindowspasswordisresetAftertheWindowspasswordisreset,ClientSecuritySolutioncontinuallyp

70ClientSecuritySolution8.3DeploymentGuide

AppendixC.UsingClientSecuritySolutiononareinstalledWindowsoperatingsystemIfyourWindowsoperatingsysteminstalledwithClientSecuritySolutionhasbeenreinsta

72ClientSecuritySolution8.3DeploymentGuide

AppendixD.UsingtheTPMonThinkPadnotebookcomputersThemainusecasefortheTPMistheBitLockerfeaturethatisincludedwithcertainversionsoftheMicrosoftWindowsVist

ClientSecuritySolutionpassphraseTheClientSecuritySolutionpassphraseisanoptionalfeatureofuserauthenticationthatwillprovideenhancedsecuritytoClientSecur

•Atmel-ThinkPadT60/R60/X60/X300,ThinkCentreM57•Intel-ThinkPadT500/R500/X200/X301•STMicro-ThinkPadT410/T510/X201/T420/T520/X220,ThinkCentreM90•Winbond-

AppendixE.NoticesLenovomaynotoffertheproducts,services,orfeaturesdiscussedinthisdocumentinallcountries.ConsultyourlocalLenovorepresentativeforinformat

TrademarksThefollowingtermsaretrademarksofLenovointheUnitedStates,othercountries,orboth:LenovoThinkCentreThinkPadThinkVantageMicrosoft,InternetExplore

GlossaryAdministrator(ThinkCentre)/Supervisor(ThinkPad)BIOSPasswordTheadministratororsupervisorpasswordisusedtocontroltheabilitytochangeBIOSsettings.T

Symmetric-keyencryptionSymmetrickeyencryptionciphersusethesamekeyforencryptionanddecryptionofdata.Symmetrickeyciphersaresimplerandfaster,buttheirmaind

PartNumber:PrintedinUSA(1P)P/N:**

entryrelatedchangescanbedetectedautomaticallybyClientSecurityPasswordManagerandallowstheusertoupdatetheirentrieswithevenlesswork.•Saveyourinformationw