Transcription
Client Security Solution 8.21Deployment GuideDate: February 25, 2009Includes: ThinkVantage Fingerprint Software 5.8.2 and Lenovo Fingerprint Software 2.0
Client Security Solution 8.21Deployment GuideDate: February 25, 2009
Second Edition (March 2009) Copyright Lenovo 2008, 2009. All rights reserved.LENOVO products, data, computer software, and services have been developed exclusively at private expense andare sold to governmental entities as commercial items as defined by 48 C.F.R. 2.101 with limited and restrictedrights to use, reproduction and disclosure.LIMITED AND RESTRICTED RIGHTS NOTICE: If products, data, computer software, or services are deliveredpursuant a General Services Administration ″GSA″ contract, use, reproduction, or disclosure is subject to restrictionsset forth in Contract No. GS-35F-05925.
ContentsPreface . . . . . . . . . . . . . . . vChapter 1. Overview . . . . . . . . . 1Client Security Solution . . . . . .Client Security Solution passphrase .Client Security password recovery .Client Security Password Manager .Security Advisor . . . . . . .Certificate Transfer wizard . . . .Hardware password reset . . . .Support for systems without TrustedModule . . . . . . . . . .Fingerprint Software . . . . . . . . . . . . . . . . . . . . .Platform. . . . .1223444. 4. 4Chapter 2. Installation . . . . . . . . . 7Client Security Solution . . . . . . . . .Installation requirements . . . . . . .Custom public properties . . . . . . .Trusted Platform Module support . . . .Installation procedures and command-lineparameters . . . . . . . . . . . .Standard Windows Installer public propertiesInstallation log files . . . . . . . . .Installing Client Security Solution 8.21 withexisting versions . . . . . . . . . .Installing ThinkVantage Fingerprint Software .Silent installation . . . . . . . . .Options. . . . . . . . . . . . .Installing Lenovo Fingerprint Software . . .Silent installation . . . . . . . . .Options. . . . . . . . . . . . .Systems Management Server . . . . . .7789. 9. 13. 14.1515151616161719Chapter 3. Working with Client SecuritySolution . . . . . . . . . . . . . . 21Using the Trusted Platform Module . . . .Using the Trusted Platform Module withWindows Vista . . . . . . . . . .Managing Client Security Solution withcryptographic keys . . . . . . . . . .Take Ownership . . . . . . . . . .Enroll User . . . . . . . . . . .Software emulation . . . . . . . . .System board swap . . . . . . . . .EFS protection utility . . . . . . . .Using the XML Schema . . . . . . . .Examples . . . . . . . . . . . .Using Smart Cards . . . . . . . . . .Installing the smart card package . . . .Requirements . . . . . . . . . . .How it works. . . . . . . . . . .Policy Manager support . . . . . . .Using RSA SecurID tokens . . . . . . .Installing the RSA SecurID Software Token .Requirements . . . . . . . . . . . Copyright Lenovo 2008, 2009. 21. 21.22222324252728293636363636373737Setting the Smart Card Access Options . .Installing the RSA SecurID Software Tokenmanually . . . . . . . . . . . .Active Directory Support . . . . . . .Settings and policies for the fingerprint readerauthentication . . . . . . . . . . .Enforced fingerprint bypass option . . .Fingerprint swipe result . . . . . . .Command-line tools . . . . . . . . .Security Advisor . . . . . . . . . .Client Security Solution setup wizard . . .Deployment file encrypt or decrypt tool . .Deployment file processing tool . . . .TPMENABLE.EXE . . . . . . . . .Certificate Transfer tool . . . . . . .TPM activate tool . . . . . . . . .Active Directory Support . . . . . . . .Administrative (ADM) template files . . .Group Policy settings . . . . . . . .Active Update . . . . . . . . . . 37. 37. 38.383838393940414142424344444550Chapter 4. Working with ThinkVantageFingerprint Software . . . . . . . . . 51Management console tool . . . . . . . .User-specific commands . . . . . . .Global settings commands . . . . . .Secure mode and convenient mode . . . .Secure mode - administrator . . . . . .Secure mode - limited user . . . . . .Convenient mode - administrator . . . .Convenient mode - limited user . . . .Configurable settings . . . . . . . .Fingerprint Software and Novell Netware ClientAuthenticating . . . . . . . . . .ThinkVantage Fingerprint Software service . .515152535354545555575758Chapter 5. Working with LenovoFingerprint Software . . . . . . . . . 59Management console tool . . . .Lenovo Fingerprint Software serviceActive Directory support for LenovoSoftware . . . . . . . . . . . . . . . . .Fingerprint. . . . . 59. 59. 60Chapter 6. Best Practices . . . . . . . 63Deployment examples for installing Client SecuritySolution . . . . . . . . . . . . . .Scenario 1 . . . . . . . . . . . . .Scenario 2 . . . . . . . . . . . . .Switching Client Security Solution modes . . .Corporate Active Directory rollout . . . . . .Standalone Install for CD or script files . . . .System Update . . . . . . . . . . . .System Migration Assistant . . . . . . . .Generating a certificate using key generation in theTPM . . . . . . . . . . . . . . . .6363656767686868. 68iii
Requirements: . . . . . . . . . . .Requesting certificate from the Server . . .Using USB fingerprint keyboards with 2008ThinkPad notebook computer models(R400/R500/T400/T500/W500/X200/X301) . .Windows Vista logon . . . . . . . . .Windows XP logon . . . . . . . . . .Client Security Solution and Password ManagerPreboot Authentication – using fingerprintinstead of BIOS passwords . . . . . . . 68. 68. 69. 70. 7172. 73Appendix A. Considerations whenusing OmniPass . . . . . . . . . . 75Appendix B. Special considerations forusing the Lenovo Fingerprint Keyboardwith some ThinkPad notebook models . 77ivClient Security Solution 8.21 Deployment GuideConfiguration and setup . . . . . . .Pre-desktop authentication . . . . . .Windows logon . . . . . . . . . .Windows XP - Welcome Screen . . . . .Windows XP - Classic logon prompt . . .Windows Vista . . . . . . . . . .Authentication with Client Security Solution.77777778787979Appendix C. Synchronizing passwordin CSS after the Windows password isreset. . . . . . . . . . . . . . . . 81Appendix D. Notices . . . . . . . . . 83Trademarks . 84Glossary . . . . . . . . . . . . . . 85
PrefaceThis guide is intended for IT administrators, or those responsible for deployingThinkVantage Client Security Solution and ThinkVantage Fingerprint Software tocomputers throughout their organizations. This guide provides the informationrequired to install Client Security Solution and Fingerprint Software on one ormore computers, provided that licenses for the software are available for eachtarget computer.The goal of Client Security Solution and Fingerprint Software is to protect yoursystems by securing client data and to deflect security breach attempts. Forquestions and information about using the various components of Client SecuritySolution and Fingerprint Software, refer to the online help system for thecomponents located at http://www.lenovo.com/thinkvantage.Periodically, these guides are updated. Visit the following Web site for ageIf you have suggestions or comments, communicate with your Lenovo authorizedrepresentative. Copyright Lenovo 2008, 2009v
viClient Security Solution 8.21 Deployment Guide
Chapter 1. OverviewThis chapter provides an overview of Client Security Solution and FingerprintSoftware. The technologies presented in this deployment guide can directly andindirectly help IT professionals because they help make personal computers easierto use, more self-sufficient, and provide powerful tools that facilitate and simplifyrollouts. With the help of ThinkVantage Technologies, IT professionals spend lesstime solving individual computer problems and more time on their core tasks.Client Security SolutionThe primary purpose of Client Security Solution software is to help you protectyour computer as an asset, protect confidential data on your computer, and protectnetwork connections accessed by your computer. (For Lenovo-branded systemsthat contain a Trusted Computing Group (TCG) compliant Trusted PlatformModule (TPM), Client Security Solution software will leverage the hardware as theroot of trust for the system. If the system does not contain an embedded securitychip, Client Security Solution will leverage software based cryptographic keys asthe root of trust for the system.)Features of Client Security Solution Version 8.2 include:v Secure user authentication with Windows password or Client SecuritySolution passphraseClient Security Solution can be configured to accept a user’s Windows passwordor a Client Security Solution passphrase for authentication. The Windowspassword provides convenience and manageability through Windows while theClient Security Solution passphrase provides additional security. Theadministrator can choose which authentication method is used, and this settingcan be changed even after users are enrolled with Client Security Solution.v Fingerprint user authenticationLeverages the integrated and USB-attached fingerprint technology toauthenticate users to password protected applications.v Smart card user authenticationLeverages a registered smart card for user authentication.v Multi-factor user authentication for Windows logon and various ClientSecurity Solution operationsDefines multiple authentication devices (Windows password/Client Securitypassphrase, fingerprint, and smart card) for various security related operations.v Password managementSecurely manages and stores sensitive logon information, such as user IDs andpasswords.v Password and passphrase recoveryPassword and passphrase recovery allows users to log into Windows and accesstheir Client Security Solution credentials even if they forget their Windowspassword or Client Security Solution passphrase, by answering preconfiguredsecurity questions.v Audit security settingsAllows users to view a detailed list of workstation security settings and makechanges to comply to defined standards. Copyright Lenovo 2008, 20091
v Digital certificates transferClient Security Solution protects the private key of user and machine certificates.Use Client Security Solution to protect the private key of your existingcertificates.v Policy Management for authenticationAn administrator can choose which devices (Windows password, Client SecuritySolution passphrase, fingerprint, or smartcard) are required to authenticate forthe following actions: Windows logon, Password Manager, and certificateoperations.Client Security Solution passphraseThe Client Security Solution passphrase is an optional feature of userauthentication that will provide enhanced security to Client Security Solutionapplications. The Client Security Solution passphrase has the followingrequirements:v Be at least eight characters longv Contain at least one digitv Be different from the last three passphrasesv Contain no more than two repeating charactersv Not begin with a digitv Not end with a digitv Not contain the user IDv Not be changed if the current passphrase is less than three days oldv Not contain three or more identical consecutive characters as the currentpassphrase in any positionv Not be the same as the Windows passwordThe Client Security Solution passphrase is only known by the individual user. Theonly way to recover from a forgotten Client Security Solution passphrase is toexecute the Client Security Solution password recovery function. If the user hasforgotten the answers to his or her recovery questions, then there is no way torecover the data protected by the Client Security Solution passphrase.Client Security password recoveryThis optional feature allows Client Security enrolled users to recover a forgottenWindows password or Client Security passphrase by answering three questionscorrectly. If this feature is enabled, you will select three answers to ten pre-chosenquestions. If the you forget your Windows password or Client Security passphrase,you will have the option to answer these three questions to reset your password orpassphrase.Notes:1. When using the Client Security passphrase, Client Security password recoveryis the only option for recovering a forgotten passphrase. If the you forget theanswer to your three questions, you will be forced to rerun the enrollmentwizard and lose all previous Client Security protected data.2. When using Client Security to protect the Rescue and Recovery PredesktopArea, the Password Recovery option will actually display your Client Securitypassphrase and/or Windows password. Passphrase or password is displayedbecause the Predesktop Area does not have the ability to automatically perform2Client Security Solution 8.21 Deployment Guide
a Windows password change. The passphrase or password is displayed when awireless (non-network attached locally cached domain) user performs thisfunction at the Windows logon.Client Security Password ManagerClient Security Password Manager enables you to manage easy-to-forgetapplication and web site information, such as user IDs, passwords, and otherpersonal information. Client Security Password Manager protects your personalinformation through Client Security Solution so that access to your application andweb sites remain totally secure. The Client Security Password Manager programalso saves time and effort because you only have to remember one password orpassphrase, provide your fingerprint, or smart card.Client Security Password Manager enables to perform the following functions:v Encrypt all stored information through the Client Security Solution Software:Automatically encrypts all of your information through Client Security Solution.Your sensitive password information is secured by the Client Security Solutionencryption keys.v Autofill user IDs and passwords:Automates your login process when you access an application or web site. Ifyour logon information has been entered into Client Security Password Manager,then Client Security Password Manager can automatically fill in the requiredfields and submit the web site or application.v Edit entries using the Client Security Password Manager interface:Enables you to edit your account entries and set up all optional features in oneeasy-to-use interface. This interface makes managing your passwords andpersonal information quick and easy. However, most entry related changes canbe detected automatically by Client Security Password Manager and allows theuser to update their entries with even less work.v Save your information without any extra steps:Client Security Password Manager can automatically detect when sensitiveinformation is being sent to a given web site or application. When such adetection is made, Client Security Password Manager prompts the user to savethe information, thus simplifying the process of storing sensitive information.v Save any information into a Secure Scratch Pad:With Client Security Password Manager, the user can save any textual data insecure scratch pads. The user’s secure scratch pads can be protected with thesame level of security as any of their other web site or application entries.v Export and import login informationEnables you to export your sensitive personal information so that you cansecurely carry it from one computer to another. When you export your logininformation from the Client Security Password Manager, a password-protectedexport file is created that can be stored on removable media. Use this file toaccess your personal information anywhere you go, or to import your entriesinto another computer with Client Security Password Manager.Note:– Full import support is available for Client Security Solution Versions 7.0 and8.x export files. Limited import support is available for Client SecuritySolution Version 6.0 (application entries are not imported). Client SecuritySoftware Solution Versions 5.4x and previous versions will not import into theClient Security Solution Version 8.x Password Manager.Chapter 1. Overview3
Security AdvisorThe Security Advisor tool allows you to view a summary of security settingscurrently set on your computer. You can use these settings to view your currentsecurity status or to enhance your system security. The displayed category defaultvalues can be changed through the Windows registry. An example of the securitycategories included are:v Hardware passwordsv Windows users passwordsv Windows password policyv Protected screen saverv File sharingCertificate Transfer wizardThe Client Security Certificate Transfer wizard guides you through the process oftransferring the private keys associated with your certificates from thesoftware-based Microsoft cryptographic service provider (CSP) to thehardware-based Client Security Solution CSP. After the transfer, operations usingthe certificates are more secure because the private keys are protected by ClientSecurity Solution.Hardware password resetThis tool creates a secure environment that runs independently of Windows andhelps you reset forgotten power-on and hard-disk-drive passwords. Your identity isestablished by answering a set of questions that you create. Create this secureenvironment as soon as possible, before a password is forgotten. You cannot reset aforgotten hardware password until this secure environment is created on your harddrive and after you have enrolled. This tool is available on select computers only.Support for systems without Trusted Platform ModuleClient Security Solution Version 8.2 supports IBM branded and Lenovo-brandedsystems that do not have a compliant embedded security chip. This support allowsa standard installation across the entire enterprise in order to create a consistentsecure environment. The systems that have the embedded security hardware aremore robust against an attack; however, the software-only machines also benefitfrom the additional security and functionality.Fingerprint SoftwareThe objective of biometric fingerprint technologies offered by Lenovo is to helpcustomers reduce the costs associated with managing passwords, enhance thesecurity of their systems, and help address regulatory compliance. With Lenovofingerprint readers, Fingerprint Software enables fingerprint authentication onindividual computers and networks. Fingerprint Software combined with ClientSecurity Solution Version 8.2 offers expanded functionality. For Client SecuritySolution 8.21, both ThinkVantage Fingerprint Software 5.8.2 and LenovoFingerprint Software 2.0 are supported for different machine types. You can findout more about Lenovo fingerprint technologies and download the software 50.htmlFingerprint Software offers these functions:v Client software capabilities– Microsoft Windows password replacement:4Client Security Solution 8.21 Deployment Guide
Replaces your password with your fingerprint for easy, fast, and securesystem access.– BIOS password (also known as power-on password) and hard drivepasswords replacement:Replaces passwords with your fingerprint to enhance logon security andconvenience.– Pre-boot fingerprint authentication for SafeGuard Easy full-driveencryption:Utilizes fingerprint authentication to decrypt your hard drive before startingWindows.– Single swipe to access BIOS and Windows:Saves valuable time by swiping your finger at start up to gain access to BIOSand Windows, saving valuable time.– Integration with Client Security Solution: Use with the Client SecuritySolution Password Manager and leverage the Trusted Platform Module. Userscan swipe their finger to access Web sites and select applications.v Administrator features– Security mode toggle:Allows an administrator to toggle between secure and convenient modes tomodify access rights of limited users.v Security capabilities– Software security:
Password Manager, then Client Security Password Manager can automatically fill in the required fields and submit the web site or application. v Edit entries using the Client Security Password Manager interface: Enables you to edit your account entries and set up all optional features in one
