Lenovo THINKPAD W700 Deployment Manual

HardwarePasswordManager

DeploymentGuide

Updated:July,2010

HardwarePasswordManager

DeploymentGuide

Updated:July,2010

Note:Beforeusingthisinformationandtheproductitsupports,readthegeneralinformationinAppendixD

“Notices”onpage49.

ThirdEdition(July2010)

©CopyrightLenovo2010.

LENOVOproducts,data,computersoftware,andserviceshavebeendevelopedexclusivelyatprivateexpenseandare

soldtogovernmentalentitiesascommercialitemsasdenedby48C.F.R.2.101withlimitedandrestrictedrightsto

use,reproductionanddisclosure.

LIMITEDANDRESTRICTEDRIGHTSNOTICE:Ifproducts,data,computersoftware,orservicesaredeliveredpursuant

aGeneralServicesAdministration“GSA”contract,use,reproduction,ordisclosureissubjecttorestrictionssetforth

inContractNo.GS-35F-05925.

Contents

Preface.................v

Chapter1.Overview..........1

Chapter2.InstallingHardware

PasswordManageron

ThinkManagementConsole......3

Prerequisites................3

Preparingthecoreserver...........4

ThinkManagementConsolewithHPMserver

setup...................5

MigratingtoanewLDAPserver.........6

InstallingHardwarePasswordManagerona

Lenovodevice................6

Chapter3.ManagingHardware

PasswordManagerdeviceswith

ThinkManagementConsole......9

ViewingHardwarePasswordManagerdevicesand

theirproperties...............9

ManagingenrolledusersonHardware

PasswordManagerdevices........10

ConguringanLDAPserverconnection...10

ViewingHardwarePasswordManagerusers

andtheirproperties...........11

Removingauser’saccesstoaHardware

PasswordManagerdevice........12

ManagingHardwarePasswordManager

groups................12

Managingremoteactionsandpolicysettingsfor

HardwarePasswordManagerdevices.....13

Updatingclientpoliciesglobally........14

Updatinghardwarepasswordsglobally.....15

Updatingtheemergencyaccount.......16

Changingserverpolicysettings........17

Deningscopesandrolesforconsoleusers...18

Chapter4.HardwarePassword

ManagerClient............21

HardwarePasswordManagerdevicesetup...21

RegisteringadevicewiththeHardwarePassword

Managerserverandenrollingtherstuser....21

EnrollingadditionalusersonaHardwarePassword

Managerdevice..............22

RemovingauserfromaHardwarePassword

Managerdevice..............23

UnregisteringadevicefromtheHardware

PasswordManagerserver..........23

UpdatingcredentialsonaHardwarePassword

Managerdevice..............24

Chapter5.Deployment........25

Fingerprintintegration............25

SafeGuardEasy/SafeGuardEnterprise

compatibility...............26

One-touchregistration...........26

Pre-registration............27

Userenrollmentonapre-registeredsystem.27

Chapter6.Scenarios.........29

Servicescenarios(congurationchanges)....29

Scenario1-Hardwareconguration

changes...............29

Scenario2-CMOSerror.........29

Scenario3-Replacethengerprintdevice..30

Scenario4-Hardwarepasswordsalready

set.................30

Scenario5-Setupundertheoperatingsystem

(remoteBIOSsettings)..........30

Scenario6-Replacethesystemboard...31

Scenario7-Addaharddiskdrive.....31

Scenario8-Replaceormoveaharddisk

drive.................31

Scenario9-Changetheharddisklocation

withinasystem............32

Scenario10-Removeaharddiskdrive...32

Scenario11-FlashingtheBIOS......32

Scenario12-Registeredsystemcannolonger

accesstheHardwarePasswordManager

server................33

Scenario13-EntertheBIOSsetup.....33

Scenario14-Loaddefaultsettingsinthe

BIOSsetup..............33

Scenario15-Donotprotectallharddrives.33

UserScenarios..............34

Scenario1-ForgotHardwareAccount

credentials,networkconnected......34

Scenario2-ForgotHardwareAccount

credentials,NOTnetworkconnected....34

Scenario3-Forgotthecorporatepassword.34

Scenario4-Manualloginusingdifferent

keyboardtypes............34

Scenario5-Handlingenrollmentfrommultiple

bootpartitions.............35

Scenario6-BitLocker..........35

AppendixA.Securityand

convenience..............37

AppendixB.Disasterrecovery....39

©CopyrightLenovo2010

iii

AppendixC.Hintsandtips......43

AppendixD.Notices.........49

Trademarks................50

ivHardwarePasswordManagerDeploymentGuide

Preface

ThisguideisintendedforITadministrators,orthosewhoareresponsiblefordeployingtheLenovo

®

HardwarePasswordManager™programoncomputersintheirorganizations.Thepurposeofthisguideisto

providetheinformationrequiredforinstallingHardwarePasswordManagerononeormanycomputers,

providedthatlicensesforthesoftwareareavailableforeachtargetcomputer.TheHardwarePassword

Managerapplicationprovidesapplicationhelp,whichadministratorsanduserscanconsultforinformation

aboutusingtheapplicationitself.

LenovoHardwarePasswordManagerisdevelopedforITprofessionalsandtheuniquechallengesthey

mayencounter.Thisdeploymentguidewillprovideinstructionsandsolutionsforworkingwith

Hardware

PasswordManager.Ifyouhavesuggestionsorcomments,communicatewithyourLenovoauthorized

representative.Tolearnmoreaboutthetechnologiesthatcanhelpyoulowerthetotalcostofownershipand

tocheckforperiodicupdatestothisguide,gothefollowingWebsite:

http://www.lenovo.com

©CopyrightLenovo2010

v

viHardwarePasswordManagerDeploymentGuide

Chapter1.Overview

TheLenovoHardwarePasswordManager(HPM)givesanadministratortheabilitytomanagehardware

passwordsforallregisteredPCdevices.Further,itcreatesthenotionofaBIOS-leveluserIDandpassword

fortheendusertouseasasinglesign-onproxy.ThisuserIDandpasswordcanbesynchronizedwiththe

WindowsIDandpasswordfortheuser.TheuseralsohastheoptiontoauthenticatehimselftoBIOSusing

hisngerprint.Whenthedevicepowerson,theuserisaskedforthesecredentials.Ifprovided,thedevice

willlogintheusertohisdesktop.Thismechanismpreservestheuser'sprivacyandmakesitpossibleforhim

tousethedevice,eventhoughhedoesnotknowwhattheactualhardwarepasswordsare.

WhenHPMisinstalled,theLenovoThinkManagementConsolecoreserveractsastheHPMserver—it

managesandauthenticatesHPMdevices.Inaddition,anActiveDirectoryoreDirectoryLDAPserver

functionsastheauthenticationserverforHardwarePasswordManager—theHPMserverchecksuser

credentialsagainstdataontheLDAPserver.

OnLenovoclientdeviceswhichsupportHPM,theadministratorinstallsanagentthatcontainsaHardware

PasswordManagerapplication.Whentheclientdevicepowerson,itcommunicatesthroughUDPport

50001withtheHPMserver.

Aftertheclienthasbootedtotheoperatingsystem,itusestheHardwarePasswordManagerclientapplication

tocommunicatewithaWebserviceontheserver.ThiscommunicationisthroughanHTTPSchannel.

TheadministratorusestheHPMfeaturesintheThinkManagementConsoletomanageHPMdevicesand

createanddeploypoliciestothesedevices.ThesepoliciesdeterminehowHardwarePasswordManager

isimplementedforthedevices;forexample,theadministratorselectswhichuseroptionsareavailable

onHPMdevicesaspartofthepolicydenition.

©CopyrightLenovo2010

1

2HardwarePasswordManagerDeploymentGuide

Chapter2.InstallingHardwarePasswordManageron

ThinkManagementConsole

TouseHPMfunctionality,theLenovoThinkManagementConsolemustbeinstalled.Asyoucongurethis

installation,youwilldeneconnectiondetailsforyourLDAPservertoprovideauthenticationservicesfor

HPM.Policiesforhowhardwarepasswordsaregeneratedandhowclientdevicesaremanagedaredened

intheconsoleaswell.

Next,youinstalltheHPMclientsoftwareonindividualLenovodevicesthatsupportHPM.ABIOSsetting

isusedtoenableordisableHPMsupportonthesedevices.ThissettingmustbesettoEnabledforthe

devicetoworkwithHPM.

Aftercompletingtheseinstallationtasks,youcanbeginregisteringLenovoHPMdeviceswiththeHPM

serverandenrollusersonthosedevices.

Prerequisites

ThefollowingitemsshouldbeconsideredpriortoinstallingLenovoThinkManagementConsolewithHPMon

yourserver:

•Theservershouldhaveaccesstotheinternetinordertoobtainprerequisitesandtoactivateafterthe

installationiscomplete.

•TheservershouldhaveastaticIPaddress.

•TheservercannotbeaDomainController.Itisrecommended,however,tohavetheserverjoinadomain.

•TheaccountwithwhichyoulogintotoperformtheinstallationofthecoreservermusthaveAdministrator

privilegesontheserverwithfullread/writeaccess.IdeallythisaccountwouldalsobeaDomain

Administratoraccount.Thisaccountwillbeusedtocreatetheinitialadministrator-levelaccountthatis

usedtologintotheThinkManagementConsole.

Inordertoensureaclean,workinginstallation,thefollowinginstallationorderisrecommended:

1.InstalltheWindows

®

Server2003R2(32-bit)operatingsystemwithSP2orWindowsServer2008

R2(64-bit)operatingsystem.

2.InstalltheWindowsComponentInternetInformationServices(IIS).

Note:FortheWindowsServer2003R2(32-bit)operatingsystem,thisMUSTbedonebeforeinstalling

ASP.Net.

3.InstallthefollowingWindowsComponents:

•ASP.Net

•SNMP

4.UseWindowsUpdatetoinstallallavailablecriticalupdates.

5.InstallMicrosoft

®

.NETFramework

®

2.0orlater.

6.InstallWebServicesEnhancements(WSE)3.0forMicrosoft.NETifyouareusingtheWindowsServer

2008R2(64-bit)operatingsystem,orinstallWebServicesEnhancements(WSE)2.0SP3ifyouareusing

theWindowsServer2003R2(32-bit)operatingsystem.

AftertheThinkManagementConsoleisinstalled,itisrecommendedthatyouenableSecurityandPatch

Managertoobtainupdatesforthisproduct.Intheconsoleapplication,clickHelp➙LANDesk®Help

Wizard➙SecurityUpdatesforaguidetoconguringSecurityandPatchManager.

©CopyrightLenovo2010

3

Preparingthecoreserver

TheHPMcoreserverwillusetheThinkManagementConsole9.0thatisbasedonLANDeskManagement

Suite9.0.FormoreinformationaboutLANDeskManagementSuitesystemrequirements,gotothefollowing

Website:

http://community.landesk.com/support/docs/DOC-7478

FordetailsonprerequisitesforinstallingThinkManagementConsole9.0,gotothefollowingWebsite:

http://community.landesk.com/support/docs/DOC-6767

ThepreferredplatformforThinkManagementConsole9.0istheWindowsServer2008R2(64-bit)operating

system.ThefollowinginstructionsdescribehowtoconguretheWindowsServer2008R2(64-bit)operating

systemtomeettheThinkManagementConsole9.0prerequisites.

1.InstalltheWindowsServer2008R2(64-bit)operatingsystemfromtheinstallationmedia.Itis

recommendedtoinstalltheserveroperatingsystemagainfortheHPMcoreserver,becauseexisting

operatingsystemimagesmighthaveincompatiblesettingswiththeHPMcoreserver.

2.RunWindowsUpdateandensurethatallnecessarycriticalupdateshavebeenapplied.

3.Namethecoreserver.Itisimportantthatthecoreservernameissetcorrectly.Afterbeinginstalled,an

HPMcoreservercannotberenamed.

4.DisabletheIndexingServiceandWindowsSearchServicebecausetheymightinterferewiththenormal

operationoftheHPMcoreserver.Formoredetails,gototheWebsite:

http://community.landesk.com/support/docs/DOC-7245

5.Addtheapplicationserverrole.

a.ClickStart➙ServerManager.

b.ClickAddRoles.

c.SelectWebServer(IIS).

d.ClickNext.Y ouwillbepromptedtoaddadditionalrequiredfeaturesforthisrole.

e.SelectAddRequiredFeatures.

f.OntheSelectServerRolesscreen,selectApplicationServer.Youwillbepromptedtoadd

additionalrequiredfeaturesforthisrole.

g.ClickAddRequiredFeatures.

h.OntheSelectServerRolesscreen,clickNext.

i.ClickNext.

j.SelectWebServer(IIS)Support.Y ouwillbepromptedtoaddadditionalroleservicesandfeatures.

k.ClickAddRequiredRoleServices.

l.SelectCOM+NetworkAccess.

m.ClickNext.

n.ClickNext.

o.UndertheRoleServicessection,selectedASP,CGI,andServerSideIncludesunderApplication

Development.

p.ScrolldowntothebottomofthelistandselectIIS6ManagementCompatibility.

q.ClickNext.

r.TheConrmInstallationSelectionsdialogboxisdisplayed.ClickInstall.

s.ClickClosewhentheinstallationcompletes.

4HardwarePasswordManagerDeploymentGuide

WhenusingtheWindowsServer2008R2(64-bit)operatingsystem,theMonitoring/Alerts(SNMP)additional

featuremustbeinstalledaswell.

1.ClickStart➙ServerManager.

2.IntheServerManagerconsole,clickFeaturesandthenclickAddFeaturesintherightpaneof

thewindow.

3.SelectSNMPServices.

4.ClickNext.

5.ClickInstall.

6.ClickClose.

WhenusingtheWindowsServer2003R2(32-bit)operatingsystemwithSP2,additionalWindows

componentsmustbeinstalled.

1.ClickStart➙ControlPanel➙AddorRemovePrograms.

2.ClickAdd/RemoveWindowsComponents.

3.Addthefollowingcomponents:

a.ApplicationServer

•ASP.NET

•InternetInformationServices(IIS)

b.ManagementandMonitoringTools

•SimpleNetworkManagementProtocol

4.ClickNext.

5.ForOptionalNetworkingComponents,selectYes.

6.ClickFinish.

7.InstallMicrosoft.NETFramework2.0.

8.Restarttheserver.

WebServicesEnhancements(WSE)3.0forMicrosoft.NETmustalsobeinstalled.Thiscomponentis

providedbyMicrosoftatthefollowingWebsite:

http://www.microsoft.com/downloads/details.aspx?FamilyID=018a09fd-3a74-43c5-8ec1-8d789091255d&displaylang=en

1.DownloadtheMicrosoftWSE3.0.msiinstallerpackagefromthelinkabove.

2.Extracttheinstallerpackageandruntheexecutableonthecoreserver.

3.FollowtheinstructionsintheInstallationdialogboxusingonlythedefaultsettings.

ThinkManagementConsolewithHPMserversetup

MakesuretheLDAPserver(MicrosoftActiveDirectoryorNovelleDirectory)thatactsastheLDAP

authenticationserverforHardwarePasswordManagerisworkingproperly.

ToobtaintheinstallationpackageforThinkManagementConsolewithHPM,registertodownloadfromthe

Websiteathttp://www.landesk.com/lenovo.Aftercompletingtheregistration,youwillreceiveanemailwith

alinktodownloadtheinstallationpackageaswellasLANDeskcredentialsforactivatingthecoreserver

afterinstallation.

Afteryouhavedownloadedtheinstallationpackage,followtheinstructionsbelowtocompletethecore

serverinstallation.

1.LogontotheserverwithAdministratorprivileges.

2.ExtracttheThinkManagement82D.exeinstallationpackage.Copyandpastethepathwherethe

installationsourceleswillbeextractedtototheclipboardforeasieraccess.

Chapter2.InstallingHardwarePasswordManageronThinkManagementConsole5

3.RuntheThinkManagementConsoleAutorun.exefromthelocationwheretheinstallationpackagewas

extractedto.SelectInstallonthecoreserver.FollowthepromptsintheInstallationwizardand

selectRestartNowafterinstallation.

4.ActivatethecoreserverbyenteringyourLANDeskcontactnameandpasswordintheCoreServer

ActivationUtility(internetconnectionrequired).

5.ConguretheLDAPServer:

a.ConnecttheHARDWAREPASSWORDMANAGERserverandLDAPAuthenticationservertonetwork.

b.LaunchtheThinkManagementConsole.

c.Inthetoolbox,thereisaThinkVantageHardwarePasswordManagergroupwiththreeitems:HPM

EnrolledUsers,HPMGroups,andRemoteActionsandPolicySettings.ClickHPMGroupsandthen

clickCongureLDAPserver(thethirdbutton)onthetoolbar.

d.EntertheinformationfortheLDAPserverthatwillserveastheauthenticationserver.Thefollowing

itemsneedtobedenedfortheLDAPserver:

•Hostname:ThenameoftheLDAPserver.

•Port:Theportnumbertocommunicatewiththeserver.Thedefaultportis389forMicrosoft

ActiveDirectory.IfyouneedtoqueryaglobalcatalogtoaccessmultipleActiveDirectory

domains,changetheportto3268.IfyouselectNovelleDirectoryasyourLDAPserver,the

defaultportis636.

•Servertype:Selectthetype,eitherMicrosoftActiveDirectoryorNovelleDirectory.

•Encryptiontype:Selectthetypeofencryptionusedforcommunicationwiththeserver.

•Authorizeduser:

–TheusernameforloggingintotheMicrosoftActiveDirectoryserver.

–Adomain\usernameorsimplyausername.

–TheusernameforloggingintoaNovelleDirectoryserver.

Note:Itisbettertousecn=adminname,o=admincontext.IfBindRestrictionsissettoNone,

adminname.admincontextwillwork.IfBindRestrictionsissettoDisallowanonymoussimple

bind,adminname.admincontextwillnotwork.

–Password:ThepasswordfortheauthorizeduserontheLDAPserver.

e.ClickOKwhentheinformationiscomplete.

ThinkManagementConsolecoreserversetupcompletesnow.

MigratingtoanewLDAPserver

YoumayndthatyouneedtochangetheIPaddressorhostnameofyourLDAPserver.Youmayalsoneed

tochangetoanewserverwithadifferentIPaddress,orevenchangetoadifferenttypeofLDAPserver.

Ifanyofthesechangesoccurs,youneedtocreateanewLDAPserverconguration.Todothis,repeatthe

LDAPcongurationtaskinstep5.ItisrecommendedthatexistingregisteredHPMdevicesbederegistered

andthenregisteredonceagainwiththenewLDAPconguration.Otherwise,thedevicesregisteredwiththe

oldLDAPcongurationwillnotbeabletoperformvariousHPMactionssuchasanintranetaccountlogin.

InstallingHardwarePasswordManageronaLenovodevice

ToaddHardwarePasswordManagerfeaturestoaLenovodevice,youmustdeployanHPMagenttothe

device.Youcandothisbyusingeitherapushorapullmethod.

TodeployanagentwithHardwarePasswordManagerclientfeatures:

6HardwarePasswordManagerDeploymentGuide

1.IntheThinkManagementconsole,clickTools➙Conguration➙AgentConguration.

2.ClickNewontheAgentCongurationtoolbar,andenteranameforthisagentconguration.

3.MakesuretheHardwarePasswordManageroptionisselectedintheAgentComponentstoInstall

section.

4.Savetheconguration.

Ifyouonlyplantouseasingleagentcongurationoryouplantousethepullmethodofdeployment,you

shouldsetthisnewagentcongurationtobethedefaultconguration.

Tomakethisagentcongurationthedefault:

1.IntheAgentCongurationpaneoftheThinkManagementConsoleright-clickthenewagent

conguration.

2.ClickSetasdefault.Agreencheckmarkwillappearovertheiconforthisconguration.

YoucannowusethepushmethodtodeploytheagenttoyourLenovodevices.RefertotheGetting

StartedandDiscoveringandInstallingAgentshelpwizardsundertheHelpmenuintheconsoleformore

information.ForGettingStarted,youonlyneedtoperformtheLaunchtheCongureServicesTooland

CongureSchedulerCredentialssteps.

Notes:

1.Tosimplifythedevicediscoveryprocess,turnofftheWindows®rewall.

2.ForWindowsXP,simplelesharingmustbedisabledontheLenovodevice.Thisisnormallydisabled

bydefaultfordevicesthatlogintoadomain.YoucanturnoffthisoptionfromWindowsExplorer.Click

Tools➙FolderOptions➙View,scrolltothebottomofthelistandclearUsesimplelesharing.

3.ForWindowsVista

®

itisagoodpracticetoturnUserAccountControloff.

Whentheagentisdeployed,theHPMClientPortalisinstalledonthedevice.ThelenameoftheClientPortal

iscmp_portal.exe,whichislocatedintheC:\ProgramFiles\Lenovo\HardwarePasswordManagerdirectory.

Youcanalsodeploytheagentbyusingthepullmethod.Thismethodinvolvesconnectingtoashared

folderontheHPMserverandrunninganapplicationthatwillinstallthedefaultagentcongurationthat

wasdescribedpreviously.

1.LogintotheLenovodeviceastheDomainAdminorasalocaladministrator.

2.ConnecttotheLDLOGONshareeitherdirectlythroughexplorerorbymappinganetworkdriveto

\\<yourHPMservername>\ldlogonusingtheDomainAdmincredentialsorothercredentialsthat

havebeengivenaccesstothisshare.

3.FromtheshareddrivelaunchWSCFG32.EXE.Adialogboxisdisplayedshowingthecomponentsthat

willbeinstalled.MakesuretheThinkVantageHardwarePasswordManageroptionisselected.

4.Followthepromptstocompletetheagentinstallation.

InsomecasesitmaybenecessarytoincludetheThinkVantageHardwarePasswordManagerclientina

corporateimageordeployedthroughsomeothersystemmanagementtoolorprocess.Toaccommodate

thesescenarios,aself-containedexecutablepackageoftheagentcongurationcanbegeneratedfromthe

console.Thisexecutablewillinstalltheagentwithoutanyuserinteraction.

Tocreateaself-containedexecutableagentinstallationpackage:

1.Right-clickNewagentcongurationintheAgentCongurationpaneoftheThinkManagementConsole.

2.ClicktheCreateself-containedclientinstallationpackage.

3.Specifythefolderwhereyouwanttosavetheexecutableleinthedialogboxdisplayed.

Chapter2.InstallingHardwarePasswordManageronThinkManagementConsole7

Thenameoftheexecutablelewillbebasedonthenameoftheagentconguration.Theprocesswill

runinthebackgroundforaboutaminute.Twoexecutablelesandtwologleswillbecreated.One

executable,designatedby“_with_status”,willprovideaninstallerthatdisplaysinstallationstatustothe

user.Theotherexecutablewillbeinstalledsilently.

8HardwarePasswordManagerDeploymentGuide

Chapter3.ManagingHardwarePasswordManagerdevices

withThinkManagementConsole

TheavailableHardwarePasswordManagerfunctionsintheconsolearedescribedinthefollowingsections:

•“ViewingHardwarePasswordManagerdevicesandtheirproperties”onpage9

•“ManagingenrolledusersonHardwarePasswordManagerdevices”onpage10

•“ConguringanLDAPserverconnection”onpage10

•“ViewingHardwarePasswordManagerusersandtheirproperties”onpage11

•“Removingauser’saccesstoaHardwarePasswordManagerdevice”onpage12

•“ManagingHardwarePasswordManagergroups”onpage12

•“ManagingremoteactionsandpolicysettingsforHardwarePasswordManagerdevices”onpage13

•“Updatingclientpoliciesglobally”onpage14

•“Updatinghardwarepasswordsglobally”onpage15

•“Updatingtheemergencyaccount”onpage16

•“Changingserverpolicysettings”onpage17

ViewingHardwarePasswordManagerdevicesandtheirproperties

IntheNetworkView,aseparatefolderundertheDevicesfolderisaddedforLenovoHardwarePassword

Managerdevicesthathavebeendiscoveredandmanaged.OpenthisHardwarePasswordManageddevices

foldertoviewalistofComputersandHarddisks.

ToviewaHardwarePasswordManagerdevice’sproperties:

1.IntheThinkManagementConsoleNetworkView,expandtheDevicesfolderandthenexpandthe

HardwarePasswordManagerdevicesfolder.

2.ClickeitherComputersorHarddisksdependingonthedevicetypeyouneed.

3.Right-clickthenameofthedeviceandselectHPMproperties.

TheinformationinthePropertiesdialogboxisnoteditable.Thedetailsincludedoneachofthetabsare

summarizedasbelow.

Summary

Passwordslistedonthistabaredimmedbydefault.SelectShowallpasswordtextsatthebottomofthe

tab.Thispreventstheunintentionaldisplayofhardwarepasswords.

•Registrationtimeandstatus:liststhedate/timeofregistrationandcurrentstatus.

•BIOSpasswords:displaysthepasswordsforeachBIOSproleandthedate/timetheprolewaslast

backedup.Thissectionincludesthesupervisorpassword(SVP),whichlogsontothedevicewith

administratoraccess,andthepower-onpassword(POP),whichlogsontothedeviceasauser.

•Harddiskpasswords:listspasswordsforaccessingeachharddiskonthedevice.Thissectiondisplays

themasterpassword,theuserpassword,andanybackuppasswordsthatmighthavebeengenerated

fortheharddisk(clickViewtoviewthelistofbackuppasswords).

•Emergencyadminaccount:liststhecredentialsfortheadministrativeaccountthatcanaccessthe

HardwarePasswordManagerdevice.Theemergencyadminaccountiscreatedoneverydevice.This

credentialcanbeusedinanemergencytoaccessthedevice’sBIOSwithadministratorprivileges.

9

Enrolledusers:

AllusersthatareenrolledtoaccesstheHardwarePasswordManagerdevicearelistedonthistab.The

intranetaccountusernameisthenameusedforLDAPuseraccountlogin.Thehardwareaccountusername

isthenameusedtosavedatatothehardwareaccount(asecureareaofnon-volatilememorythatcanonly

beaccessedbythecomputer’sBIOS).TheLDAPpathshowstheuser’slocationintheLDAPservertree(for

example,CN=ADMINISTRATOR,CN=USERS,DC=TESTLAB).

Memberof:

Thistabliststheintranetaccountgroupsthatthedeviceisamemberof.TheLDAPpathshowsthegroup’s

locationintheLDAPservertree.

Remoteactions:

TheRemoteactionssectionlistsallpreviousremoteactionsthathavebeenappliedtothisHardware

PasswordManagerdevice.TheRemoveuserremoteactionssectionlistsusersthatwereenrolledon

thedevicebutwhoseaccesshasbeenremoved.

Clientpolicy:

TheWindowspolicylistshowsthestatusofoperatingsystemrelatedpolicysettingscurrentlyappliedon

thedevice.TheBIOSpolicylistshowsthestatusofBIOS-relatedpolicysettingscurrentlyappliedonthe

device.ThesesettingsareselectedintheUpdateClientPolicydialog;see“Updatinghardwarepasswords

globally”onpage15formoreinformation.

ManagingenrolledusersonHardwarePasswordManagerdevices

WhenaLenovoHardwarePasswordManagerdeviceisregisteredwiththeHardwarePasswordManager

server,themainuserofthatdeviceisenrolledasanauthorizeduserofthatHardwarePasswordManager

device.YoucanenrolladditionalusersoneachHardwarePasswordManagerdevice,byusingtheClient

PortalonthedeviceorbyincludingtheuserinaHardwarePasswordManagergroupthathasrightsto

thatdevice.

TomanageusersforHardwarePasswordManagerdevices,usetheHPMEnrolledUsersoptioninthe

ThinkManagementConsoletoolbox(orclickTools➙ThinkVantageHardwarePasswordManager➙

HPMEnrolledUsers).

UsingtheHPMEnrolledUserstool,youcan

•ConguretheLDAPserverconnection

•ViewalistofHardwarePasswordManagerusers

•ViewthepropertiesofaHardwarePasswordManageruser

•Revokeauser’saccesstoaHardwarePasswordManagerdevice

ConguringanLDAPserverconnection

IntheManageEnrolledUsersview,usersandgroupsarelistedinatreestructurethatdisplaystheusers

andgroupsontheLDAPserveryouuseforHardwarePasswordManagerauthentication.Toviewthattree

structure,youmustrstconguretheLDAPserverconnection.

TheinformationyouenterinthisdialogenablestheHardwarePasswordManagerservertoconnecttothe

LDAPserver,whichcanbeeitheraMicrosoftActiveDirectoryserveroraNovelleDirectoryserver.

10HardwarePasswordManagerDeploymentGuide

YoucanmigratefromoneLDAPservertoanotherwithoutlosingdata.Ifyoundthatyouneedtousea

differentserverforLDAPauthentication,enterthecongurationdataforthenewserver.

TocongureanLDAPserverconnection:

1.ClickHPMEnrolledUsersinthetoolbox(orclickTools➙ThinkVantageHardwarePassword

Manager➙HPMEnrolledUsers).

2.ClickLDAPserver.

3.TypethehostnameoftheLDAPserverintheHostnameeld.

4.Ifyouwanttouseaportotherthanthedefaulttoaccesstheserver,clearUsedefaultportandenter

anotherportnumber.

5.SelectServertype(MicrosoftActiveDirectoryorNovelleDirectory).

6.SelectEncryptiontypefortheserver.

7.TypethecredentialsusedtoaccesstheLDAPserverintheAuthorizeduserandPasswordeld.The

usercanbeintheformofthedomain\usernameorcansimplybetheusername.

ViewingHardwarePasswordManagerusersandtheirproperties

TheHPMEnrolledUserstoolenablesyoutoviewallusersthatareenrolledtoaccessLenovoHardware

PasswordManagerdevices.Youcanviewalistofallusers,oryoucanselectgroupsintheLDAPdirectory

treetoviewsubsetsofthelist.YoucanviewallpropertiesforeachenrolledHardwarePasswordManager

user,includingtheuserID,LDAPpath,groupsthatincludetheuser,anddevicestheuserisenrolledon.

ThesepropertiesarenoteditableinthePropertiesdialogbox.

ToviewenrolledHardwarePasswordManagerusersandtheirproperties:

1.ClickHPMEnrolledUsersinthetoolbox(orclickTools➙ThinkVantageHardwarePassword

Manager➙HPMEnrolledUsers).

2.Toviewallenrolledusers,clickAllusersinthetreestructure.

3.Toviewasubsetofusers,expandanygroupsthatarelistedinthetreestructureandclickagroupname.

4.Toviewauser’sproperties,right-clicktheuserinauserlistandclickProperties.

Note:Y oucanalsoselecttheuserandclickPropertiesonthetoolbar.

OptionsinthePropertiesdialogboxaresummarizedasbelow.

Summary:

ThistabliststheIDandcommonnameoftheuser,thepathintheLDAPtreewheretheuserisfound,and

theuser’scurrentstatus.ThedateandtimewhentheuserwasenrolledasaHardwarePasswordManager

userisalsolisted.

Memberof:

ThistabliststheLDAPgroupstowhichtheuserbelongs,withtheLDAPpathofeachgroup.

Enrolleddevices:

Thistabliststhedevicesonwhichtheuserisenrolled,withthedevicenameandmachineID.

Remoteactions:

Chapter3.ManagingHardwarePasswordManagerdeviceswithThinkManagementConsole11

ThistablistsanyRemoveUseractionsthathavebeenperformedontheuser,includingthenameofthe

devicefromwhichtheuserwasremovedandthedateandtimeofthelaststatuschange.

Removingauser’saccesstoaHardwarePasswordManagerdevice

AfterauserhasbeenenrolledonaHardwarePasswordManagerdevice,youcanremovethatenrollment

iftheusershouldnolongerhaveaccesstothedevice.Toremoveauser,createaremoteactionthatis

appliedtoeachdeviceyouspecify.ThenexttimewhenthedeviceisconnectedtotheHardwarePassword

Managerservertoupdateitspolicy,theuserwillberemovedfromthelistofusersforthatdevice.

ToremoveauserfromaHardwarePasswordManagerdevice:

1.ClickHPMEnrolledUsersinthetoolbox(orclickTools➙ThinkVantageHardwarePassword

Manager➙HPMEnrolledUsers).

2.Intheuserlist,selecttheuser(s).

3.ClickRevokeuseronthetoolbar.

4.IntheCreateRemoteActiondialogbox,clearthecheckboxforoneormoredevicesfromwhich

youwanttoremovetheuser.

5.ClickOK.

ManagingHardwarePasswordManagergroups

HardwarePasswordManagergroupslinkusergroups(asdenedintheLDAPserver)withHardware

PasswordManagerdevices.HardwarePasswordManagergroupsareusefulbecausetheyallowmultiple

userstoaccessoneormoredeviceswithoutindividuallyenrollingeachuseroneachdevice.Whena

deviceisaddedtoagroup,allmembersofthatgrouphavetheaccesstothedeviceandcanusean

intranetaccounttologintothedevice.

WhenyouopentheHPMGroupstool,groupsarelistedintheLDAPtreeview.Eachgroupiscreatedonyour

LDAPserver;youcannotcreateagroupinThinkManagementConsole.However,youcaneditgroups(dene

thegrouprole)anddragdevicesintogroupstoassociatethosedeviceswiththemembersofthegroups.

Intranetaccountgroupsaredistinguishedbytheroledenedfortheusersinthegroup:

•User:anenduserofaHardwarePasswordManagerdevice.

•ServiceTech:anITtechnician,authorizedwithlimitedaccesstothedeviceforservicing.Accesscanbe

limitedtoatimeframe(duration),orthetechniciancanbeauthorizedwithacertainnumberoflogins.

•Administrator:anadministrativeuserauthorizedtoaccessdevices.

Forexample,allmembersofagroupthatisdenedwiththeServiceTechrolecanlogintodevicesinthe

groupforaspeciednumberoftimes.Iftheroleisdenedsotheusercanonlylogintothedevicetwo

times,accesstothedeviceexpiresfortheuserafterthesecondlogin.

ToeditaHardwarePasswordManagergroup:

1.ClickHPMGroupsinthetoolbox(orclickT ools➙ThinkVantageHardwarePasswordManager➙

HPMGroups).

2.IntheLDAPtreeview,clickagroupnameandclickEditIntranetAccountGrouponthetoolbar.Most

itemsintheEditIntranetAccountGroupdialogboxarenoteditable.Y oucanselecttheroleforthe

group;ifyouselectServiceTech,youcanlimittheaccesstoHardwarePasswordManagerdevices.

3.Selecttherolefromthecombobox.

4.SelectWithexpirationifyouwanttolimittheaccesstothedeviceforaperiodoftimeoraspecic

numberoflogins.(ThisappliesonlytoServiceTechusers.)

12HardwarePasswordManagerDeploymentGuide

Page is loading ...

Lenovo THINKPAD W700, Hardware Password Manager, ThinkCentre M58, ThinkCentre M58p, ThinkPad R400, ThinkPad R500, ThinkPad T400, ThinkPad T500, ThinkPad X200 Tablet 7453, ThinkPad X200s, ThinkPad X301 Deployment Manual

Related papers

Other documents