Lenovo ThinkVantage (Client Security Solution 8.21)- User Manual

Preface This guide is intended for IT administrators, or those responsible for deploying ThinkVantage ® Client Security Solution and ThinkVantage Fingerprint Software to computers throughout their organizations. This guideprovides the information required to install Client Security Solution and Fing...

Chapter 1. Overview This chapter provides an overview of Client Security Solution and Fingerprint Software. The technologiespresented in this deployment guide can directly and indirectly help IT professionals because they help makepersonal computers easier to use, more self-sufficient, and provide p...

• Autofill user IDs and passwords: Automates your login process when you access an application or web site. If your logon informationhas been entered into Client Security Password Manager, then Client Security Password Manager canautomatically fill in the required fields and submit the web site or a...

you create. Create this secure environment as soon as possible, before a password is forgotten. You cannotreset a forgotten hardware password until this secure environment is created on your hard drive and afteryou have enrolled. This tool is available on select computers only. Support for systems w...

Chapter 2. Installation This chapter contains instructions for installing Client Security Solution, and Fingerprint Software. Beforeinstalling Client Security Solution or Fingerprint Software, you should understand the architecture of theapplication you are installing. This chapter provides the arch...

Custom public properties The installation package for the Client Security Software program contains a set of custom public propertiesthat can be set on the command line when running the installation. The following table provides the custompublic properties for Windows XP and Windows 2000: Table 1. P...

After ownership of the system is configured, each additional Windows user that logs into the system isautomatically prompted with the Client Security sSetup wizard in order to enroll and initialize the user’ssecurity keys and credentials. Software emulation of the Trusted Platform Module Client Secu...

Table 3. Command line parameters (continued) Parameter Description You can separate multiple transforms with a semicolon. Do not use semicolonsin the name of your transform, as the Windows Installer service will interpretthose incorrectly. Properties All public properties can be set or modified from...

Table 4. Windows Installer properties (continued) Property Description ARPSYSTEMCOMPONENT Prevents display of application in the Add or RemovePrograms list. ARPURLINFOABOUT URL for an application's home page. ARPURLUPDATEINFO URL for application-update information. REBOOT The REBOOT property suppres...

Table 6. Installation examples using Client Security - Password Manager.msi Description Example Installation msiexec /i “C:\CSS82\Client SecuritySolution - Password Manager.msi” Silent installation with noreboot msiexec /i “C:\CSS82\Client SecuritySolution - Password Manager.msi” /qn REBOOT=”R” Sile...

Table 7. Options supported by the Fingerprint Software Parameter Description CTRLONCE Displays the Control Center only once. The default valueis 0. CTLCNTR Runs the Control Center on startup. The default value is 1. DEFFUS • 0 = will not use Fast User Switching (FUS) settings. • 1 = Will try to use ...

Table 8. Options supported by the Lenovo Fingerprint Software (continued) Parameter Description SWANTIHAMMERRETRIES Specifies the maximum retries. The default value is 5. Note: This setting works only when SWANTIHAMMER is enabled. SWANTIHAMMERTIMEOUT Specifies the timeout duration in seconds. The de...

Chapter 3. Working with Client Security Solution Before you install Client Security Solution, you should understand the customization available for ClientSecurity Solution. This chapter provides customization information about Client Security Solution, as well asinformation regarding the Trusted Pla...

enrolled as an active user. Every other user that logs into the system will be automatically requested to enrollinto Client Security Solution. • Take Ownership A single Windows administrator user ID is assigned as the sole Client Security Solution Administratorfor the system. Client Security Solutio...

The following diagram provides the structure for the System Level Key: System Level Key Structure - Take Ownership Trusted Platform Module Encrypted via derived AES Key Storage Root Private Key Storage Root Public Key System Leaf Private Key System Base Private Key System Leaf Public Key System Base...

The following diagram provides the structure for the user level key: User Level Key Structure - Enroll User Trusted Platform Module Encrypted via derived AES Key Storage Root Private Key Storage Root Public Key User Leaf Private Key User Base Private Key User Leaf Public Key User Base Public Key Win...

The TPM emulation mode cannot be used as a secure substitute for the TPM. The TPM provides thefollowing two key protection methods that are more secure than the TPM emulation mode. • All keys used by the TPM are protected by a unique root-level key. The unique root-level key is created inside the TP...

The following diagram provides the structure for the motherboard swap - take ownership: Motherboard Swap - Take Ownership Trusted Platform Module Decrypted via derived AES Key System Leaf Private Key Store Leaf Private Key System Leaf Public Key Store Leaf Public Key System Base Private Key System B...

EFS protection utility Client Security Solution provides a command line utility that enables TPM-based protection of encryptioncertificates used by the Encrypting File System (EFS) to encrypt files and folders. This utility supportstransfer of third party certificates (certificates generated by a Ce...

Using the XML Schema The purpose of the XML scripting is to enable IT administrators to create custom scripts that can be usedto deploy and configure Client Security Solution. The scripts can be protected by the xml_crypt_toolexecutable with a password such as AES encryption. Once created, the virtu...

<DOMAIN_NAME_PARAMETER>IBM-2AA92582C79<DOMAIN_NAME_PARAMETER><USER_PW_REC_ANSWER_DATA_PARAMETER>Test1</USER_PW_REC_ANSWER_DATA_PARA METER> <USER_PW_REC_ANSWER_DATA_PARAMETER>Test2</USER_PW_REC_ANSWER_DATA_PARA METER> <USER_PW_REC_ANSWER_DATA_PARAMETER>Test3&...

To leverage the PKCS #11 module of Client Security Solution, the following policies must be set for ActiveDirectory: 1. PKCS #11 Signature 2. PKCS #11 Decryption The following table provides the modifiable field and description of policies for PKCS# 11: Table 10. ThinkVantage\Client Security Solutio...

• “Security Advisor” on page 33 • “Client Security Solution setup wizard” on page 34 • “Deployment file encrypt or decrypt tool” on page 34 • “Deployment file processing tool” on page 35 • “TPMENABLE.EXE” on page 35 • “Certificate Transfer tool” on page 35 • “TPM activate tool” on page 36 Security A...

Table 11. Parameters (continued) Parameters Description FileSharing Sets the value for the file sharing. 1 will show this section,0 will hide. If not present then it is shown by default. AuthorizedAccessOnly Sets value that authorized access should be set forfile-sharing, or setting will be flagged....

Table 13. Parameters for encrypting or decrypting Client Security XML deployment files Parameters Results /h or /? Displays the help message FILENAME Displays path name and filename with either .xml or .encextension encrypt or decrypt Selects /encrypt for .xml files and /decrypt for .enc files PASSP...

Table 16. css_cert_transfer_tool.exe <cert_store_type> <filter_type>:<name | size> | all_access | usage Parameter Description <cert_store_type> This is the first required parameter. It must be used as the first switchand include one of the following examples: cert_store_user ...

Table 17. Parameters for activating or deactivating the TPM on the Lenovo system (continued) Parameter Description /deactivate Deactivates the TPM. Note: If you run tpm_activate_cmd.exe without parameter /deactivate , it will activate the TPM by default. /verbose Displays a text output. Example: tpm...

• Default user preferences As described previously, computer and user policies are defined by the administrator. These settings can beinitialized through the XML configuration file or through a Group Policy in the Active Directory. Computer anduser preferences are set by the user on the client compu...

Table 23. Computer Configuration ➙ ThinkVantage ➙ Client Security Solution ➙ User interface Policy setting Description Fingerprint software option Show, gray or hide the Fingerprint software option in the Client SecuritySolution application. Default: Show. File encryption option Show, gray or hide t...

Table 24. Computer Configuration ➙ ThinkVantage ➙ Client Security Solution ➙ Workstation security tool (continued) Policy Setting Description Windows UsersPasswords Password Select the recommended value as enable or disable orselect to ignore this setting. Windows UsersPasswords Password Age Max num...

Active Update Parameter File The Active Update parameter file contains the settings to be passed to Active Update. The TargetAppparameter is passed as shown in this example: <root> <TargetApp>ACCESSLENOVO</TargetApp> </root><root> <TargetApp>1EA5A8D5-7E33-11D2-B80...

Chapter 4. Working with ThinkVantage Fingerprint Software The fingerprint console must be run from the Fingerprint Software installation folder. The basic syntax isFPRCONSOLE [USER | SETTINGS]. The USER or SETTINGS command specifies which mode of operationwill be used. The full command is then “fprc...

Table 25. User-specific commands (continued) Command Syntax Description Export enrolled user to a file Syntax: EXPORT username[| domain\username] file This command will export an enrolleduser to a file on the hard disk drive. Theuser then can be imported using theIMPORT command on other computeror o...

Secure mode and convenient mode Fingerprint Software can be run in two security modes, a secure mode and a convenient mode. The securemode is intended for situations when you want to achieve higher security. Special functions are reserved foradministrators only. Only administrators can log on using ...

Table 30. Options for limited users in the convenient mode (continued) Settings Description Security mode Limited users cannot modify security modes. Pro Servers Limited users can access - only relevant with server. Configurable settings Some fingerprint software options can be configured through re...

The fingerprint software will continue to validate the password at system logon. Note: When the above registry key is set to 1, if the domain administrator changes the user's when the user's system is locked, the fingerprint software will have the old password stored until the user logsoff and logs ...

9. Reboot. Note: Your authentication ID and password for Windows and Novell must be identical. ThinkVantage Fingerprint Software service The upeksvr.exe service is added to the system after the ThinkVantage fingerprint software is installed. Itstarts running while startup, and then runs all the time...

Chapter 5. Working with Lenovo Fingerprint Software The fingerprint console must be run from the Lenovo Fingerprint Software installation folder. The basicsyntax is FPRCONSOLE [USER | SETTINGS]. The USER or SETTINGS command specifies what set ofoperation will be used. The full command is “fprconsole...

Chapter 6. Best Practices This chapter presents scenarios to illustrate the best practices of Client Security Solution and FingerprintSoftware. This scenario starts with the configuration of the hard disk drive, continues through severalupdates, and follows the life cycle of a deployment. Installati...

******************************************************* Ready to take sysprep backup. ** ** ** ** PLEASE RUN SYSPREP NOW AND SHUT DOWN. ** ** ** ** Next time the machine boots, it will boot ** ** to the Predesktop Area and take a backup. ** ***************************************************** 7. Ru...

4. Install ThinkVantage Fingerprint tutorial by running the f001zpz7001us00.exe to extract the tutess.exe file from the Web package. This will automatically extract the setup.exe to the following location: C:\SWTOOLS\APPS\tutorial\TFS5.8.2 Buildxxxx\Tutorial\0409\tutess.exe 5. Install ThinkVantage F...

2. Over install all three different versions of older software (Rescue and Recovery 1.0/2.0/3.0, Fingerprint, Client Security Solution 5.4–6, FFE). Settings should be kept when installing the new version overthe old version. System Migration Assistant Migrate from T40 with Client Security Solution 7...

1. Open Certification Authority. 2. In the console tree, click Certificate Templates . 3. From the Action menu, click New ➙ Certificate to Issue . 4. Click TPM and click OK . Applying certificate from the Client To apply certificate from the Client, complete the following procedure as below: 1. Conn...

4. Use the ThinkVantage fingerprint software to enroll your fingerprints with the external fingerprint sensor. If it does not automatically start, click Start ➙ Programs ➙ ThinkVantage ➙ ThinkVantage Fingerprint Software to start the enrollment. 5. Enter your Windows password when prompted and then ...

11. Click Start ➙ Programs ➙ ThinkVantage ➙ ThinkVantage Fingerprint Software to start the enrollment. 12. Click Fingerprints ➙ Enroll or Edit Fingerprints , and then click Next to display the Windows password window. 13. Enter your Windows password when prompted and then select a finger to enroll. ...

Client Security Solution and Password Manager Different from Windows logon, authentication requests from Client Security Solution and Password Manageronly work on the preferred fingerprint sensor. For example, when a fingerprint keyboard is connected, itsfingerprint sensor is the preferred device. W...

Appendix A. Considerations when using OmniPass OmniPass from Softex © is a program that can be used to securely login to Web sites and applications, as well as protect data on a computer. OmniPass can take advantage of the computer's TPM by accessing itthrough interfaces provided by Client Security ...

Table 33. Omnipass feature overlap (continued) Function Feature overlap Considerations User authentication Both Client Security Solution andOmniPass may prompt for userauthentication. If using both Client Security Solutionand OmniPass, ensure that usersunderstand the difference betweenthe authentica...

Appendix B. Special considerations for using the LenovoFingerprint Keyboard with some ThinkPad notebook models The fingerprint device used in some ThinkPad notebook models is different than the fingerprint device usedin the Lenovo Fingerprint Keyboard. Special considerations might be required if the...

Windows XP - Welcome Screen To support logging on with either the Lenovo Fingerprint Keyboard or the built-in ThinkPad fingerprint sensorwith the Windows XP Welcome Screen, the logon interfaces for both the Lenovo Fingerprint Software andthe ThinkVantage Fingerprint Software must be enabled. When lo...

2. The Windows Vista logon screen may only show one “tile, or button, for fingerprint logon, although either fingerprint sensor can be used to log on. Alternatively, to support logon with either the fingerprint keyboard or the integrated fingerprint device, theClient Security Solution logon interfac...

Trademarks The following terms are trademarks of Lenovo in the United States, other countries, or both: LenovoRescue and RecoveryThinkCentreThinkPadThinkVantage Microsoft, Windows, and Windows Vista are trademarks of the Microsoft group of companies. Other company, product, or service names may be t...

Glossary Administrator (ThinkCentre)/Supervisor (ThinkPad)BIOS Password The administrator or supervisor password is usedto control the ability to change BIOS settings. Thisincludes the capability to enable or disable theembedded security chip and to clear the StorageRoot Key stored within the Truste...

Symmetric-key encryption Symmetric key encryption ciphers use the same keyfor encryption and decryption of data. Symmetrickey ciphers are simpler and faster, but their maindrawback is that the two parties must somehowexchange the key in a secure way. Public-keyencryption avoids this problem because ...