Chapter3.WorkingwithClientSecuritySolution
BeforeyouinstallClientSecuritySolution,youshouldunderstandthecustomizationavailableforClient
SecuritySolution.ThischapterprovidescustomizationinformationaboutClientSecuritySolution,aswellas
informationregardingtheTrustedPlatformModule.ThetermsusedinthischapterreferencingtheTrusted
PlatformModulearedenedbytheTrustedComputingGroup(TCG).FormoreinformationabouttheTrusted
PlatformModulerefertothefollowingWebsite:
http://www.trustedcomputinggroup.org/
UsingtheTrustedPlatformModule
TheTrustedPlatformModuleisanembeddedsecuritychipdesignedtoprovidesecurity-relatedfunctions
forthesoftwareutilizingit.Theembeddedsecuritychipisinstalledonthemotherboardofasystemand
communicatesthroughahardwarebus.SystemsthatincorporateaTrustedPlatformModulecancreate
cryptographickeysandencryptthemsothattheycanonlybedecryptedbythesameTrustedPlatform
Module.Thisprocessisoftencalledwrappingakey,andhelpsprotectthekeyfromdisclosure.Onasystem
withaTrustedPlatformModule,themasterwrappingkey,calledtheStorageRootKey(SRK),isstoredwithin
theTrustedPlatformModuleitself,sotheprivateportionofthekeyisneverexposed.Theembeddedsecurity
chipcanalsostoreotherstoragekeys,signingkeys,passwords,andothersmallunitsofdata.Becauseof
thelimitedstoragecapacityintheTrustedPlatformModule,theSRKisusedtoencryptotherkeysforoff-chip
storage.TheSRKneverleavestheembeddedsecuritychip,andformsthebasisforprotectedstorage.
UsingtheembeddedsecuritychipisoptionalandrequiresaClientSecuritySolutionadministrator.Whether
forindividualuseroracorporateITdepartment,theTrustedPlatformModulemustbeinitialized.Subsequent
operations,suchastheabilitytorecoverfromaharddrivefailureorreplacedsystemboard,arealso
restrictedtotheClientSecuritySolutionadministrator.
Note:Ifyouarechangingtheauthenticationmodeandattempttounlockthesecuritychip,youmustlog
outandthenlogbackinasthemasteradministrator.Thiswillenableyoutounlockthechip.Youcanalso
logonasasecondaryuserandcontinuetoconverttheauthenticationmode.Thisisdoneautomatically
whenthesecondaryuserlogson.ClientSecuritySolutionwillpromptforthesecondaryuserpassword
orpassphrase.OnceClientSecuritySolutionisdoneprocessingthechange,thesecondaryusercan
proceedwithunlockingthechip.
UsingtheTrustedPlatformModulewithWindowsVista
IftheWindowsVistalogonisenabledandtheTrustedPlatformModuleisdisabled,youmustdisablethe
WindowslogonfeaturebeforedisablingtheTrustedPlatformModuleinF1BIOS.Doingthiswillprevent
asecuritymessagethatstates:Securitychiphasbeendeactivated,thelogonprocesscannotbe
protected.
Inaddition,ifyouareupgradingtheoperatingsystemofaclientsystem,youmustclearthesecuritychipto
avoidenrollmentfailureofClientSecurity.ToclearthechipinF1BIOS,thesystemmustbestartedfroma
coldboot.Youwillnotbeabletoclearthechipifyouattemptthisprocessafterawarmreboot.
ManagingClientSecuritySolutionwithcryptographickeys
ClientSecuritySolutionisdescribedbythetwomaindeploymentactivities;TakeOwnershipandEnroll
User.WhilerunningtheClientSecuritySolutionSetupWizardforthersttime,theTakeOwnershipand
EnrollUserprocessesarebothperformedduringtheinitialization.TheparticularWindowsuserIDthat
completedtheClientSecuritySolutionSetupWizardistheClientSecuritySolutionAdministratorandis
©CopyrightLenovo2008,2012
17
Kommentare zu diesen Handbüchern