Lenovo ThinkVantage Client Security Solution 8.3- User Manual

Preface Information presented in this guide is to support Lenovo ® computers installed with the ThinkVantage ® Client Security Solution program and the Fingerprint Software program. The goal of Client Security Solution and Fingerprint Software is to protect your systems by securing clientdata and to...

Chapter 1. Overview This chapter provides an overview of Client Security Solution and Fingerprint Software. The technologiespresented in this deployment guide can directly and indirectly help IT professionals because they help makepersonal computers easier to use, more self-sufficient, and provide p...

Client Security Solution passphrase The Client Security Solution passphrase is an optional feature of user authentication that will provideenhanced security to Client Security Solution applications. The Client Security Solution passphrase has thefollowing requirements: • Be at least eight characters...

entry related changes can be detected automatically by Client Security Password Manager and allows theuser to update their entries with even less work. • Save your information without any extra steps: Client Security Password Manager can automatically detect when sensitive information is being sent ...

consistent and secure environment. The systems that have the embedded security chip are more robustagainst an attack; however, for the systems without the embedded security chip, Client Security Solution willleverage software based cryptographic keys as the root of trust for the system, and the syst...

Chapter 2. Installation This chapter contains instructions for installing Client Security Solution, and Fingerprint Software. Beforeinstalling Client Security Solution or Fingerprint Software, you should understand the architecture of theapplication you are installing. This chapter provides the arch...

Table 1. Public properties Property Description EMULATIONMODE Specify to force the installation in Emulation mode even ifa TPM exists. Set EMULATIONMODE=1 on the commandline to install in Emulation mode. HALTIFTPMDISABLED If the TPM is in a disabled state and the installationis running in silent mod...

Software emulation of the Trusted Platform Module Client Security Solution has the option to run without a Trusted Platform Module on qualified systems. Thefunctionality will be the same except it will use software-based keys instead of using hardware-protectedkeys. The software can also be installe...

Table 3. Command line parameters (continued) Parameter Description You can separate multiple transforms with a semicolon. Do not use semicolonsin the name of your transform, as the Windows Installer service will interpretthose incorrectly. Properties All public properties can be set or modified from...

Table 4. Windows Installer properties (continued) Property Description ARPSYSTEMCOMPONENT Prevents display of application in the Add or RemovePrograms list. ARPURLINFOABOUT URL for an application's home page. ARPURLUPDATEINFO URL for application-update information. REBOOT The REBOOT property suppres...

Installing ThinkVantage Fingerprint Software The setup.exe file of the ThinkVantage Fingerprint Software program can be installed through the followingmethods: Silent installation To silently install ThinkVantage Fingerprint Software, run the setup.exe file located in the installation directoryon yo...

Table 7. Options supported by the ThinkVantage Fingerprint Software (continued) Parameter Description LOCKOUT • 1 = Enable the anti-hammering protection. • 0 = Disable the anti-hammering protection. The default value is 1. LOCKOUTCOUNT Maximum retries. The default value is 5, and you can useany valu...

Silent installation To silently install the Fingerprint Software, run the setup32.exe file located in the installation directoryon your CD-ROM drive. Use the following syntax: setup32.exe /s /v"/qn REBOOT ="R"" To uninstall the software, use the following syntax: setup32.exe /x /s /v...

Systems Management Server Systems management server (SMS) installations are also supported. Open the SMS administrator console.Create a new package and set package properties in a standard way. Open the package and selectNew-Program in the Programs item. At the command line type: Setup.exe /m yourmi...

Chapter 3. Working with Client Security Solution Before you install Client Security Solution, you should understand the customization available for ClientSecurity Solution. This chapter provides customization information about Client Security Solution, as well asinformation regarding the Trusted Pla...

enrolled as an active user. Every other user that logs into the system will be automatically requested to enrollinto Client Security Solution. • Take Ownership A single Windows administrator user ID is assigned as the sole Client Security Solution Administratorfor the system. Client Security Solutio...

The following diagram provides the structure for the System Level Key: System Level Key Structure - Take Ownership Trusted Platform Module Encrypted via derived AES Key Storage Root Private Key Storage Root Public Key System Leaf Private Key System Base Private Key System Leaf Public Key System Base...

The following diagram provides the structure for the user level key: User Level Key Structure - Enroll User Trusted Platform Module Encrypted via derived AES Key Storage Root Private Key Storage Root Public Key User Leaf Private Key User Base Private Key User Leaf Public Key User Base Public Key Win...

The TPM emulation mode cannot be used as a secure substitute for the TPM. The TPM provides thefollowing two key protection methods that are more secure than the TPM emulation mode. • All keys used by the TPM are protected by a unique root-level key. The unique root-level key is created inside the TP...

The following diagram provides the structure for the motherboard swap - take ownership: Motherboard Swap - Take Ownership Trusted Platform Module Decrypted via derived AES Key System Leaf Private Key Store Leaf Private Key System Leaf Public Key Store Leaf Public Key System Base Private Key System B...

EFS protection utility Client Security Solution provides a command line utility that enables TPM-based protection of encryptioncertificates used by the Encrypting File System (EFS) to encrypt files and folders. This utility supportstransfer of third party certificates (certificates generated by a Ce...

When run in silent mode, the output of the program will be an error level corresponding to the errorsnumbers shown above. Using the XML Schema The purpose of the XML scripting is to enable IT administrators to create custom scripts that can be usedto deploy and configure Client Security Solution. Th...

<DOMAIN_NAME_PARAMETER>IBM-2AA92582C79<DOMAIN_NAME_PARAMETER><USER_PW_REC_ANSWER_DATA_PARAMETER>Test1</USER_PW_REC_ANSWER_DATA_PARA METER> <USER_PW_REC_ANSWER_DATA_PARAMETER>Test2</USER_PW_REC_ANSWER_DATA_PARA METER> <USER_PW_REC_ANSWER_DATA_PARAMETER>Test3&...

Table 10. ThinkVantage\Client Security Solution\Authentication Policies\PKCS# 11 Signature\Custom Mode Fields CSS.ADM Modifiable field Required Field Description Controls whether password or passphrase is required. Possible values • Enabled – Every time – Once per logon • Disabled • Not configured S...

• “Certificate Transfer tool” on page 37 • “Activating or deactivating the TPM” on page 38 Security Advisor To use the Security Advisor function, launch the Client Security Solution program, click the Advanced menu, and click Security Advisor button in the Client Security Solution workspace. The sys...

Table 11. Parameters (continued) Parameters Description EmbeddedSecurityChip Sets value that security chip should be enabled, or settingwill be flagged. ClientSecuritySolution Sets value of what version Client Security Solution shouldbe on this machine, or setting will be flagged. Client Security So...

Table 13. Parameters for encrypting or decrypting Client Security XML deployment files (continued) Parameters Results /encrypt or /decrypt Selects /encrypt for XML files and /decrypt for ENC files. PASSPHRASE Displays the optional parameter that is required if apassphrase is used to protect the file...

Table 16. css_cert_transfer_tool.exe <cert_store_type> <filter_type>:<name | size> | all_access | usage Parameter Description <cert_store_type> This is the first required parameter. It must be used as the first switchand include one of the following examples: cert_store_user ...

For desktop computers, do the following to activate the TPM: 1. Go to the Web site at http://support.lenovo.com/en_US/detail.page?LegacyDocID=MIGR-75407. 2. Click Visual Basic sample scripts to use when configuring BIOS settings to download the sample_script_m90.zip file. Then extract the zip file. ...

• Disabled • Activated • Deactivated • Owned • Not owned /setstate: <state> sets the TPM status type you prefer. 0 represents disabled and deactivated. 1 represents enabled. 2 represents activated. 4 represents owned. You can use the adding function (that is, bitwise OR) to set multiple valid ...

The following examples are settings that Active Directory can manage for Client Security Solution: • Security policies. • Custom security policies; such as whether to use a Windows password or Client Security Solution passphrase. Administrative (ADM) template files The ADM (Administrative) template ...

HKLM\Software\Lenovo\Client Security Solution\User preferences:HKCU\Software\Lenovo\Client Security Solution\Default user preferences:HKLM\Software\Lenovo\Client Security Solution\User defaults Group Policy settings The tables in this section provide policy settings for the Computer Configuration an...

Table 22. Computer Configuration ➙ ThinkVantage ➙ Client Security Solution ➙ Password manager (continued) Policy setting Description Disable Auto-fill Controls whether Password manager will auto-fill data into Web sites andWindows applications. Disable Hotkey support Controls whether Password manage...

Table 23. Computer Configuration ➙ ThinkVantage ➙ Client Security Solution ➙ User interface (continued) Policy setting Description Enable/disable Windows passwordrecovery option Show, gray, or hide the option to enable or disable Windows passwordrecovery in the Client Security Solution application. ...

Chapter 4. Working with ThinkVantage Fingerprint Software The fingerprint console must be run from the ThinkVantage Fingerprint Software installation folder. The basicsyntax is FPRCONSOLE [USER | SETTINGS]. The USER or SETTINGS command specifies which mode ofoperation will be used. The full command ...

Table 25. User-specific commands (continued) Command Syntax Description Enumerate enrolled users List Lists the enrolled users. Export enrolled user to a file Syntax: EXPORT username[| domain\username] file This command will export an enrolleduser to a file on the hard disk drive. Theuser then can b...

Secure mode and convenient mode Fingerprint Software can be run in two security modes, a secure mode and a convenient mode. The securemode is intended for situations when you want to achieve higher security. Special functions are reserved foradministrators only. Only administrators can log on using ...

Table 30. Options for limited users in the convenient mode (continued) Settings Description Security mode Limited users cannot modify security modes. Pro Servers Limited users can access - only relevant with server. Configurable settings Some fingerprint software options can be configured through re...

The fingerprint software will continue to validate the password at system logon. Note: When the above registry key is set to 1, if the domain administrator changes the user's when the user's system is locked, the fingerprint software will have the old password stored until the user logsoff and logs ...

8. Log onto Windows. 9. Reboot. Note: Your authentication ID and password for Windows and Novell must be identical. ThinkVantage Fingerprint Software service The upeksvr.exe service is added to the system after the ThinkVantage fingerprint software is installed. Itstarts running while startup, and t...

Chapter 5. Working with Lenovo Fingerprint Software The fingerprint console must be run from the Lenovo Fingerprint Software installation folder. The basicsyntax is FPRCONSOLE [USER | SETTINGS]. The USER or SETTINGS command specifies what set ofoperation will be used. The full command is “fprconsole...

Chapter 6. Best Practices This chapter presents scenarios to illustrate the best practices of Client Security Solution and FingerprintSoftware. This scenario starts with the configuration of the hard disk drive, continues through severalupdates, and follows the life cycle of a deployment. Installati...

******************************************************* Ready to take sysprep backup. ** ** ** ** PLEASE RUN SYSPREP NOW AND SHUT DOWN. ** ** ** ** Next time the machine boots, it will boot ** ** to the Predesktop Area and take a backup. ** ***************************************************** 7. Ru...

3. Install the ThinkVantage Fingerprint console on the deployment machine by doing the following: a. Deploy the fprconsole.exe file that has been extracted from the preparation machine to the deployment machine, using your company's software distribution tool. b. Place the fprconsole.exe file to the...

c. Through Active Directory, enable Antidote Delivery Manager. Place packages to be run and make sure reporting is captured. Standalone Install for CD or script files For a standalone install for CD or script file, complete the following steps: 1. Use one batch file to silently install Client Securi...

3. From the File menu, click Add/Remove Snap-in , and then click Add . The Add Standalone snap-in window displays. 4. Double-click Certification Authority in the snap-in list, and click Close . 5. Click OK in the Add/Remove Snap-in window. 6. Click Certificate Templates from the console tree. All of...

Appendix A. Special considerations for using the LenovoFingerprint Keyboard with some ThinkPad notebook models The fingerprint device used in some ThinkPad notebook models is different than the fingerprint device usedin the Lenovo Fingerprint Keyboard. Special considerations might be required if the...

• Using the Fingerprint Software logon interface The logon interfaces of both Lenovo Fingerprint Software and ThinkVantage Fingerprint Software must be enabled. When both fingerprint logon interfacesare enabled in the Windows 7 operating system, users can swipe their finger on either the fingerprint...

Appendix D. Using the TPM on ThinkPad notebook computers The main use case for the TPM is the BitLocker feature that is included with certain versions of the MicrosoftWindows Vista and Windows 7 operating systems. This appendix provides answers to the followingfrequently asked questions when deployi...

Trademarks The following terms are trademarks of Lenovo in the United States, other countries, or both: LenovoThinkCentreThinkPadThinkVantage Microsoft, Internet Explorer, Windows Server, and Windows are trademarks of the Microsoft group ofcompanies. Other company, product, or service names may be t...

Glossary Administrator (ThinkCentre)/Supervisor (ThinkPad)BIOS Password The administrator or supervisor password is usedto control the ability to change BIOS settings. Thisincludes the capability to enable or disable theembedded security chip and to clear the StorageRoot Key stored within the Truste...

Symmetric-key encryption Symmetric key encryption ciphers use the same keyfor encryption and decryption of data. Symmetrickey ciphers are simpler and faster, but their maindrawback is that the two parties must somehowexchange the key in a secure way. Public-keyencryption avoids this problem because ...