ClientSecuritySolution8.21DeploymentGuideUpdated:February,2012
youcreate.Createthissecureenvironmentassoonaspossible,beforeapasswordisforgotten.Youcannotresetaforgottenhardwarepassworduntilthissecureenvironmentisc
Chapter2.InstallationThischaptercontainsinstructionsforinstallingClientSecuritySolution,andFingerprintSoftware.BeforeinstallingClientSecuritySolutiono
CustompublicpropertiesTheinstallationpackagefortheClientSecuritySoftwareprogramcontainsasetofcustompublicpropertiesthatcanbesetonthecommandlinewhenrun
Afterownershipofthesystemiscongured,eachadditionalWindowsuserthatlogsintothesystemisautomaticallypromptedwiththeClientSecuritysSetupwizardinordertoen
customizationsaremade,theusercallsmsiexec.exefromthecommandline,passingthenameoftheunpackedMSIle.Thefollowingparametersanddescriptionsaredocumentedin
Table3.CommandlineparametersParameterDescription/IpackageorproductcodeUsethisformattoinstalltheproduct:Othello:msiexec/i"C:\WindowsFolder\Proles
Table3.Commandlineparameters(continued)ParameterDescriptionYoucanseparatemultipletransformswithasemicolon.Donotusesemicolonsinthenameofyourtransform,a
Table4.WindowsInstallerproperties(continued)PropertyDescriptionARPSYSTEMCOMPONENTPreventsdisplayofapplicationintheAddorRemoveProgramslist.ARPURLINFOAB
Table6.InstallationexamplesusingClientSecurity-PasswordManager.msiDescriptionExampleInstallationmsiexec/i“C:\CSS82\ClientSecuritySolution-PasswordMana
Table7.OptionssupportedbytheFingerprintSoftwareParameterDescriptionCTRLONCEDisplaystheControlCenteronlyonce.Thedefaultvalueis0.CTLCNTRRunstheControlCe
Note:Beforeusingthisinformationandtheproductitsupports,readthegeneralinformationinAppendixD“Notices”onpage75.ThirdEdition(February2012)©CopyrightLenov
Table8.OptionssupportedbytheLenovoFingerprintSoftwareParameterDescriptionSWAUTOSTART•0=willnotstartngerprintsoftwareonWindowsstartup.•1=willstartnge
Table8.OptionssupportedbytheLenovoFingerprintSoftware(continued)ParameterDescriptionSWANTIHAMMERRETRIESSpeciesthemaximumretries.Thedefaultvalueis5.No
16ClientSecuritySolution8.21DeploymentGuide
Chapter3.WorkingwithClientSecuritySolutionBeforeyouinstallClientSecuritySolution,youshouldunderstandthecustomizationavailableforClientSecuritySolution
enrolledasanactiveuser.EveryotheruserthatlogsintothesystemwillbeautomaticallyrequestedtoenrollintoClientSecuritySolution.•TakeOwnershipAsingleWindowsa
ThefollowingdiagramprovidesthestructurefortheSystemLevelKey:System Level Key Structure - Take OwnershipTrusted Platform ModuleEncrypted via derived AE
Thefollowingdiagramprovidesthestructurefortheuserlevelkey:User Level Key Structure - Enroll UserTrusted Platform ModuleEncrypted via derived AES KeySt
TheTPMemulationmodecannotbeusedasasecuresubstitutefortheTPM.TheTPMprovidesthefollowingtwokeyprotectionmethodsthataremoresecurethantheTPMemulationmode.
Thefollowingdiagramprovidesthestructureforthemotherboardswap-takeownership:Motherboard Swap - Take OwnershipTrusted Platform ModuleDecrypted via deriv
EFSprotectionutilityClientSecuritySolutionprovidesacommandlineutilitythatenablesTPM-basedprotectionofencryptioncerticatesusedbytheEncryptingFileSyste
ContentsPreface...iiiChapter1.Overview...1ClientSecuritySolution...1ClientSecuritySolutionpassphrase...2ClientSecurity
UsingtheXMLSchemaThepurposeoftheXMLscriptingistoenableITadministratorstocreatecustomscriptsthatcanbeusedtodeployandcongureClientSecuritySolution.Thes
<SYSTEM_PAP>password</SYSTEM_PAP></FUNCTION></CSSFile>Note:Thiscommandisnotsupportedintheemulationmode.ENABLE_PWMGR_FUNCTIONTh
ThefollowingcommandenablesthelogonwiththefastuserswitchingsupportanddisablestheClientSecuritySolutionWindowslogon.Thefastuserswitchingmightnotbeenable
ENABLE_NONE_GINA_FUNCTIONIfoneofGINArelatedTVTcomponentssuchasThinkVantageFingerprintSoftware,ClientSecuritySolution,orAccessConnectionlogonisenabled,
Note:Thiscommandisnotsupportedintheemulationmode.INITIALIZE_SYSTEM_FUNCTIONThiscommandinitializestheClientSecuritySolutionsystemfunction.Thesystem-wid
Note:Thiscommandisnotsupportedintheemulationmode.ENROLL_USER_FUNCTIONThiscommandenrollsaparticularusertouseClientSecuritySolution.Thisfunctioncreatesa
<DOMAIN_NAME_PARAMETER>IBM-2AA92582C79<DOMAIN_NAME_PARAMETER><USER_PW_REC_ANSWER_DATA_PARAMETER>Test1</USER_PW_REC_ANSWER_DATA_PA
UsingRSASecurIDtokensLeveringtheencryptionalgorithmmethodofencryptingdata,usingRSASecurIDtokensinadditiontoClientSecuritySolutionwillprovideyourenterp
ToleveragethePKCS#11moduleofClientSecuritySolution,thefollowingpoliciesmustbesetforActiveDirectory:1.PKCS#11Signature2.PKCS#11DecryptionThefollowingta
•“SecurityAdvisor”onpage33•“ClientSecuritySolutionsetupwizard”onpage34•“Deploymentleencryptordecrypttool”onpage34•“Deploymentleprocessingtool”onpage
DeploymentexamplesforinstallingClientSecuritySolution...55Scenario1...55Scenario2...57SwitchingClientSecuritySolut
Table11.Parameters(continued)ParametersDescriptionFileSharingSetsthevalueforthelesharing.1willshowthissection,0willhide.Ifnotpresentthenitisshownbyde
Table13.ParametersforencryptingordecryptingClientSecurityXMLdeploymentlesParametersResults/hor/?DisplaysthehelpmessageFILENAMEDisplayspathnameandlen
Table16.css_cert_transfer_tool.exe<cert_store_type><lter_type>:<name|size>|all_access|usageParameterDescription<cert_store_type&
Table17.ParametersforactivatingordeactivatingtheTPMontheLenovosystem(continued)ParameterDescription/deactivateDeactivatestheTPM.Note:Ifyouruntpm_activ
•DefaultuserpreferencesAsdescribedpreviously,computeranduserpoliciesaredenedbytheadministrator.ThesesettingscanbeinitializedthroughtheXMLconguration
Table19.ComputerConguration➙Administrativetemplates➙ThinkVantage➙ClientSecuritySolution➙Authenticationpolicies➙SecuremodePolicyEnabledsettingsDescrip
Table21.ComputerConguration➙Administrativetemplates➙ThinkVantage➙ClientSecuritySolution➙AuthenticationpoliciesPolicyEnabledsettingsDescriptionPasswor
Table23.ComputerConguration➙ThinkVantage➙ClientSecuritySolution➙UserinterfacePolicysettingDescriptionFingerprintsoftwareoptionShow,grayorhidetheFinge
Table24.ComputerConguration➙ThinkVantage➙ClientSecuritySolution➙Workstationsecuritytool(continued)PolicySettingDescriptionWindowsUsersPasswordsPasswo
ActiveUpdateParameterFileTheActiveUpdateparameterlecontainsthesettingstobepassedtoActiveUpdate.TheTargetAppparameterispassedasshowninthisexample:<
PrefaceThisguideisintendedforITadministrators,orthoseresponsiblefordeployingThinkVantage®ClientSecuritySolutionandThinkVantageFingerprintSoftwaretocom
44ClientSecuritySolution8.21DeploymentGuide
Chapter4.WorkingwithThinkVantageFingerprintSoftwareThengerprintconsolemustberunfromtheFingerprintSoftwareinstallationfolder.ThebasicsyntaxisFPRCONSOL
Table25.User-speciccommands(continued)CommandSyntaxDescriptionExportenrolledusertoaleSyntax:EXPORTusername[|domain\username]leThiscommandwillexport
SecuremodeandconvenientmodeFingerprintSoftwarecanberunintwosecuritymodes,asecuremodeandaconvenientmode.Thesecuremodeisintendedforsituationswhenyouwant
Table28.Optionsforlimitedusersinthesecuremode(continued)SettingDescriptionDeletePassportLimitedusercandeleteonlytheirownpassport.Power-onSecurityLimit
Table30.Optionsforlimitedusersintheconvenientmode(continued)SettingsDescriptionSecuritymodeLimiteduserscannotmodifysecuritymodes.ProServersLimiteduser
Thengerprintsoftwarewillcontinuetovalidatethepasswordatsystemlogon.Note:Whentheaboveregistrykeyissetto1,ifthedomainadministratorchangestheuser's
9.Reboot.Note:YourauthenticationIDandpasswordforWindowsandNovellmustbeidentical.ThinkVantageFingerprintSoftwareserviceTheupeksvr.exeserviceisaddedtoth
52ClientSecuritySolution8.21DeploymentGuide
Chapter5.WorkingwithLenovoFingerprintSoftwareThengerprintconsolemustberunfromtheLenovoFingerprintSoftwareinstallationfolder.ThebasicsyntaxisFPRCONSOL
ivClientSecuritySolution8.21DeploymentGuide
Table31.Policysettings(continued)SettingDescriptionAlwaysshowpower-onsecurityoptionsIfyouenablethissetting,userswillbeabletoselectusingtheFingerprintR
Chapter6.BestPracticesThischapterpresentsscenariostoillustratethebestpracticesofClientSecuritySolutionandFingerprintSoftware.Thisscenariostartswiththe
•TypetheClientSecuritypassphrase(forexample,CSPP4Admin)fortheadministratoraccount,checktheUsetheClientSecuritypassphrasetoprotectaccesstotheRescueandR
*******************************************************Readytotakesysprepbackup.********PLEASERUNSYSPREPNOWANDSHUTDOWN.********Nexttimethemachineboots
4.InstallThinkVantageFingerprinttutorialbyrunningthef001zpz7001us00.exetoextractthetutess.exelefromtheWebpackage.Thiswillautomaticallyextractthesetup
5.Afterrebootingthesystem,congurethesystemwiththeXMLscriptlethroughthefollowingprocedure:•CopytheThinkPad.xml.enclepreparedearlytotheC:\directory.•
2.Overinstallallthreedifferentversionsofoldersoftware(RescueandRecovery1.0/2.0/3.0,Fingerprint,ClientSecuritySolution5.4–6,FFE).Settingsshouldbekeptwh
1.OpenCerticationAuthority.2.Intheconsoletree,clickCerticateT emplates.3.FromtheActionmenu,clickNew➙CerticatetoIssue.4.ClickTPMandclickOK.Applyingc
4.UsetheThinkVantagengerprintsoftwaretoenrollyourngerprintswiththeexternalngerprintsensor.Ifitdoesnotautomaticallystart,clickStart➙Programs➙ThinkVa
11.ClickStart➙Programs➙ThinkVantage➙ThinkVantageFingerprintSoftwaretostarttheenrollment.12.ClickFingerprints➙EnrollorEditFingerprints,andthenclickNext
Chapter1.OverviewThischapterprovidesanoverviewofClientSecuritySolutionandFingerprintSoftware.Thetechnologiespresentedinthisdeploymentguidecandirectlya
ClientSecuritySolutionandPasswordManagerDifferentfromWindowslogon,authenticationrequestsfromClientSecuritySolutionandPasswordManageronlyworkontheprefe
Note:IfthesettingPower-onSecurityisnotavailable,createaregistryentryasfollowstodisplaythissetting:[HKEY_LOCAL_MACHINE\SOFTWARE\ProtectorSuiteQL\1.0]RE
66ClientSecuritySolution8.21DeploymentGuide
AppendixA.ConsiderationswhenusingOmniPassOmniPassfromSoftex©isaprogramthatcanbeusedtosecurelylogintoWebsitesandapplications,aswellasprotectdataonacomp
Table33.Omnipassfeatureoverlap(continued)FunctionFeatureoverlapConsiderationsUserauthenticationBothClientSecuritySolutionandOmniPassmaypromptforuserau
AppendixB.SpecialconsiderationsforusingtheLenovoFingerprintKeyboardwithsomeThinkPadnotebookmodelsThengerprintdeviceusedinsomeThinkPadnotebookmodelsis
WindowsXP-WelcomeScreenTosupportloggingonwitheithertheLenovoFingerprintKeyboardorthebuilt-inThinkPadngerprintsensorwiththeWindowsXPWelcomeScreen,thel
2.TheWindowsVistalogonscreenmayonlyshowone“tile,orbutton,forngerprintlogon,althougheitherngerprintsensorcanbeusedtologon.Alternatively,tosupportlogo
72ClientSecuritySolution8.21DeploymentGuide
AppendixC.SynchronizingpasswordinCSSaftertheWindowspasswordisresetAftertheWindowspasswordisreset,ClientSecuritySolutioncontinuallypromptsyouforanewWin
ClientSecuritySolutionpassphraseTheClientSecuritySolutionpassphraseisanoptionalfeatureofuserauthenticationthatwillprovideenhancedsecuritytoClientSecur
74ClientSecuritySolution8.21DeploymentGuide
AppendixD.NoticesLenovomaynotoffertheproducts,services,orfeaturesdiscussedinthisdocumentinallcountries.ConsultyourlocalLenovorepresentativeforinformat
TrademarksThefollowingtermsaretrademarksofLenovointheUnitedStates,othercountries,orboth:LenovoRescueandRecoveryThinkCentreThinkPadThinkVantageMicrosof
GlossaryAdministrator(ThinkCentre)/Supervisor(ThinkPad)BIOSPasswordTheadministratororsupervisorpasswordisusedtocontroltheabilitytochangeBIOSsettings.T
Symmetric-keyencryptionSymmetrickeyencryptionciphersusethesamekeyforencryptionanddecryptionofdata.Symmetrickeyciphersaresimplerandfaster,buttheirmaind
•AutolluserIDsandpasswords:Automatesyourloginprocesswhenyouaccessanapplicationorwebsite.IfyourlogoninformationhasbeenenteredintoClientSecurityPasswor
Comments to this Manuals