HP dc73 Blade Client Enabling and disabling DriveLock hard drive protection, Using DriveLock

Page 54

Enabling and disabling DriveLock hard drive protection

DriveLock is an industry-standard security feature that prevents unauthorized access to the data on ATA hard. DriveLock has been implemented as an extension to Computer Setup. It is only available when hard drives that support the ATA Security command set are detected. DriveLock is intended for HP customers for whom data security is the paramount concern. For such customers, the cost of the hard drive and the loss of the data stored on it is inconsequential when compared with the damage that could result from unauthorized access to its contents. In order to balance this level of security with the practical need to accommodate a forgotten password, the HP implementation of DriveLock employs a two- password security scheme. One password is intended to be set and used by a system administrator while the other is typically set and used by the end-user. There is no "back-door" that can be used to unlock the drive if both passwords are lost. Therefore, DriveLock is most safely used when the data contained on the hard drive is replicated on a corporate information system or is regularly backed up. In the event that both DriveLock passwords are lost, the hard drive is rendered unusable. For users who do not fit the previously defined customer profile, this may be an unacceptable risk. For users who do fit the customer profile, it may be a tolerable risk given the nature of the data stored on the hard drive.

Using DriveLock

When one or more hard drives that support the ATA Security command set are detected, the DriveLock option appears under the Security menu in Computer Setup. The user is presented with options to set the master password or to enable DriveLock. A user password must be provided in order to enable DriveLock. Since the initial configuration of DriveLock is typically performed by a system administrator, a master password should be set first. HP encourages system administrators to set a master password whether they plan to enable DriveLock or keep it disabled. This will give the administrator the ability to modify DriveLock settings if the drive is locked in the future. Once the master password is set, the system administrator may enable DriveLock or choose to keep it disabled.

If a locked hard drive is present, POST will require a password to unlock the device. If a power-on password is set and it matches the device’s user password, POST will not prompt the user to re-enter the password. Otherwise, the user will be prompted to enter a DriveLock password. On a cold boot, either the master or the user password may be used. On a warm boot, enter the same password used to unlock the drive during the preceding cold-boot. Users will have two attempts to enter a correct password. On a cold boot, if neither attempt succeeds, POST will continue but the drive will remain inaccessible. On a warm boot or restart from Windows, if neither attempt succeeds, POST will halt and the user will be instructed to cycle power.

DriveLock Applications

The most practical use of the DriveLock security feature is in a corporate environment. The system administrator would be responsible for configuring the hard drive which would involve, among other things, setting the DriveLock master password and a temporary user password. In the event that the user forgets the user password or the equipment is passed on to another employee, the master password can always be used to reset the user password and regain access to the hard drive.

HP recommends that corporate system administrators who choose to enable DriveLock also establish a corporate policy for setting and maintaining master passwords. This should be done to prevent a situation where an employee intentionally or unintentionally sets both DriveLock passwords before leaving the company. In such a scenario, the hard drive would be rendered unusable and require replacement. Likewise, by not setting a master password, system administrators may find themselves locked out of a hard drive and unable to perform routine checks for unauthorized software, other asset control functions, and support.

For users with less stringent security requirements, HP does not recommend enabling DriveLock. Users in this category include personal users or users who do not maintain sensitive data on their hard drives as a common practice. For these users, the potential loss of a hard drive resulting from forgetting both passwords is much greater than the value of the data DriveLock has been designed to protect. Access to Computer Setup and DriveLock can be restricted through the Setup password. By specifying a Setup password and not giving it to end users, system administrators are able to restrict users from enabling DriveLock.

48 Chapter 5 BIOS Configuration for HP ProtectTools

ENWW

Image 54
Contents ProtectTools First Edition July Document Part Number Table of contents Embedded Security for HP ProtectTools Java Card Security for HP ProtectToolsBios Configuration for HP ProtectTools TroubleshootingDrive Encryption for HP ProtectTools Enww Introduction to security HP ProtectTools features Module Key featuresAccessing HP ProtectTools Security Restricting access to sensitive data Achieving key security objectivesProtecting against targeted theft Creating strong password policies Managing HP ProtectTools passwords Additional security elementsAssigning security roles Java Card PIN also protects access to HP ProtectTools Backup and Restore Creating a secure passwordBacking up credentials and settings Restoring credentials Configuring settings Credential Manager for HP ProtectTools Setup procedures Using the Credential Manager Logon WizardLogging on to Credential Manger Registering credentials Logging on for the first timeRegistering fingerprints Registering a Java Card, USB eToken, or virtual token Setting up the fingerprint readerUsing your registered fingerprint to log on to Windows Registering a USB eTokenCreating a virtual token Changing the Windows logon passwordGeneral tasks Changing a token PINManaging identity Clearing an identity from the systemLogging on to Windows with Credential Manager Using Windows LogonLocking the computer Adding an accountRemoving an account Using Single Sign OnUsing automatic registration Registering a new applicationModifying application properties Using manual drag and drop registrationManaging applications and credentials Removing an application from Single Sign OnUsing Application Protection Importing an applicationModifying credentials Restricting access to an application Changing restriction settings for a protected applicationRemoving protection from an application Enww Advanced tasks administrator only Specifying how users and administrators log onConfiguring custom authentication requirements Configuring credential propertiesConfiguring Credential Manager settings Select Start All Programs HP ProtectTools Security Manager Embedded Security for HP ProtectTools Select Embedded security device state and change to Enable Enabling the embedded security chipInitializing the embedded security chip Setting up the basic user account Using the Personal Secure Drive Encrypting files and foldersSending and receiving encrypted e-mail Changing the Basic User Key password Advanced tasks Creating a backup fileRestoring certification data from the backup file Backing up and restoringEnabling Embedded Security after permanent disable Changing the owner passwordResetting a user password Enabling and disabling Embedded SecurityMigrating keys with the Migration Wizard Java Card Security for HP ProtectTools Changing a Java Card PIN Selecting the card readerAdvanced tasks administrators only Assigning a Java Card PINSetting power-on authentication Assigning a name to a Java CardTo enable Java Card power-on authentication Disabling Java Card power-on authentication Creating a user Java CardBios Configuration for HP ProtectTools Managing boot options Enabling and disabling system configuration options Enww Managing HP ProtectTools add-on module settings Under Smart Card Security, click EnableClick Apply, and then click OK in the HP ProtectTools window Using DriveLock Enabling and disabling DriveLock hard drive protectionDriveLock Applications Changing the power-on password Managing Computer Setup passwordsSetting the power-on password Setting the setup passwordChanging the setup password Setting password optionsEnabling and disabling stringent security Enww Drive Encryption for HP ProtectTools Encryption management User management Recovery Right pane, click Click here to backup your keysCredential Manager for ProtectTools TroubleshootingSecurity Change password option, but, since Virtual Token duringConnect Click Advanced SettingsClick Service & Applications Click Java Cards and TokensReader to log on to Credential ManagerSelect Enable Save changes and exit F10 = ROM Based Setup message is displayedIt to Embedded Security Device-Enable Security Restore IdentityEmbedded Security for ProtectTools Select File Save Changes and Exit Being used by another Process cannot accessFile because it is ProcessOut with access denied Selects SPSystemBackup .xml Clicks Restore under BackupError has been detected Selected Backup Archive doesEnww Miscellaneous Click All Programs Click HP ProtectTools Security ManagerPower-on Computer Setup, the Power-on Authentication support Glossary Enww Access IndexEnww Enww
Related manuals
Manual 65 pages 2.14 Kb