enrolledasanactiveuser.Everyotheruserthatlogsintothesystemwillbeautomaticallyrequestedtoenroll
intoClientSecuritySolution.
•TakeOwnership
AsingleWindowsadministratoruserIDisassignedasthesoleClientSecuritySolutionAdministrator
forthesystem.ClientSecuritySolutionadministrativefunctionsmustbeperformedthroughthisuser
ID.TheTrustedPlatformModuleauthorizationiseitherthisuser’sWindowspasswordorClientSecurity
passphrase.
Note:TheonlywaytorecoverfromaforgottenClientSecuritySolutionAdministratorspasswordor
passphraseistoeitheruninstallthesoftwarewithvalidWindowspermissionsortoclearthesecuritychip
inBIOS.Eitherway,thedataprotectedthroughthekeysassociatedwiththeTrustedPlatformModule
willbelost.ClientSecuritySolutionalsoprovidesanoptionalmechanismthatallowsself-recoveryof
aforgottenpasswordorpassphrasebasedonaquestionandanswerchallengeresponse.TheClient
SecuritySolutionAdministratormakesthedecisionwhethertousethefeatureornot.
•EnrollUser
OncetheTakeOwnershipprocessiscompletedandaClientSecuritySolutionAdministratoriscreated,
aUserBaseKeycanbecreatedtosecurelystorecredentialsforthecurrentlyloggedonWindows
user.ThisdesignallowsformultipleuserstoenrollintoClientSecuritySolutionandleveragethesingle
TrustedPlatformModule.Userkeysareprotectedthroughthesecuritychip,butactuallystoredoff
thechipontheharddrive.Thisdesigncreatesharddrivespaceasthelimitingstoragefactorinstead
ofactualmemorybuiltintothesecuritychip.Thenumberofusersthatcanleveragethesamesecure
hardwareisvastlyincreased.
TakeOwnership
TherootoftrustforClientSecuritySolutionistheSystemRootKey(SRK).Thisnon-migratableasymmetric
keyisgeneratedwithinthesecureenvironmentoftheTrustedPlatformModuleandneverisexposedto
thesystem.TheauthorizationtoleveragethekeyisderivedthroughtheWindowsAdministratoraccount
duringtheTPM_TakeOwnershipcommand.IfthesystemisleveragingaClientSecuritypassphrase,thenthe
ClientSecuritypassphrasefortheClientSecuritySolutionAdministratorwillbetheTrustedPlatformModule
authorization,otherwiseitwillbetheClientSecuritySolutionAdministrator’sWindowspassword.
WiththeSRKcreatedforthesystem,otherkeypairscanbecreatedandstoredoutsideoftheTrusted
PlatformModule,butwrappedorprotectedbythehardware-basedkeys.SincetheTrustedPlatform
Module,whichincludestheSRKishardwareandhardwarecanbedamaged,arecoverymechanismis
neededtomakesuredamagetothesystemdoesnotpreventdatarecovery.
Inordertorecoverasystem,aSystemBaseKeyiscreated.ThisasymmetricstoragekeyenablestheClient
SecuritySolutionAdministratortorecoverfromasystemboardswaporplannedmigrationtoanother
system.InordertoprotecttheSystemBaseKey,butallowittobeaccessibleduringnormaloperationor
recovery,twoinstancesofthekeyiscreatedandprotectedbytwodifferentmethods.First,theSystem
BaseKeyisencryptedwithanAESSymmetricKeythatisderivedfromknowingtheClientSecuritySolution
Administrator'spasswordorClientSecuritypassphrase.ThiscopyoftheClientSecuritySolutionRecovery
KeyissolelyforthepurposeofrecoveringfromaclearedTrustedPlatformModuleorreplacedsystemboard
becauseofhardwarefailure.
ThesecondinstanceoftheClientSecuritySolutionRecoveryKeyiswrappedbytheSRKtoimportittothe
keyhierarchy.ThisdoubleinstanceoftheSystemBaseKeyallowstheTrustedPlatformModuletoprotect
secretsboundtoitbelowinnormalusageandallowsforarecoveryofafailedsystemboardthroughthe
SystemBaseKeythatisencryptedwithanAESKeyunlockedbytheClientSecuritySolutionAdministrator
passwordorClientSecuritypassphrase.Next,aSystemLeafKeyiscreated.Thiskeyiscreatedtoprotect
systemlevelsecretssuchastheAESKey.
18ClientSecuritySolution8.21DeploymentGuide
Kommentare zu diesen Handbüchern