Lenovo ThinkVantage (Client Security Solution 8.21) Bedienungsanleitung Seite 24

  • Herunterladen
  • Zu meinen Handbüchern hinzufügen
  • Drucken
  • Seite
    / 86
  • Inhaltsverzeichnis
  • LESEZEICHEN
  • Bewertet. / 5. Basierend auf Kundenbewertungen
Seitenansicht 23
enrolledasanactiveuser.Everyotheruserthatlogsintothesystemwillbeautomaticallyrequestedtoenroll
intoClientSecuritySolution.
TakeOwnership
AsingleWindowsadministratoruserIDisassignedasthesoleClientSecuritySolutionAdministrator
forthesystem.ClientSecuritySolutionadministrativefunctionsmustbeperformedthroughthisuser
ID.TheTrustedPlatformModuleauthorizationiseitherthisuser’sWindowspasswordorClientSecurity
passphrase.
Note:TheonlywaytorecoverfromaforgottenClientSecuritySolutionAdministratorspasswordor
passphraseistoeitheruninstallthesoftwarewithvalidWindowspermissionsortoclearthesecuritychip
inBIOS.Eitherway,thedataprotectedthroughthekeysassociatedwiththeTrustedPlatformModule
willbelost.ClientSecuritySolutionalsoprovidesanoptionalmechanismthatallowsself-recoveryof
aforgottenpasswordorpassphrasebasedonaquestionandanswerchallengeresponse.TheClient
SecuritySolutionAdministratormakesthedecisionwhethertousethefeatureornot.
EnrollUser
OncetheTakeOwnershipprocessiscompletedandaClientSecuritySolutionAdministratoriscreated,
aUserBaseKeycanbecreatedtosecurelystorecredentialsforthecurrentlyloggedonWindows
user.ThisdesignallowsformultipleuserstoenrollintoClientSecuritySolutionandleveragethesingle
TrustedPlatformModule.Userkeysareprotectedthroughthesecuritychip,butactuallystoredoff
thechipontheharddrive.Thisdesigncreatesharddrivespaceasthelimitingstoragefactorinstead
ofactualmemorybuiltintothesecuritychip.Thenumberofusersthatcanleveragethesamesecure
hardwareisvastlyincreased.
TakeOwnership
TherootoftrustforClientSecuritySolutionistheSystemRootKey(SRK).Thisnon-migratableasymmetric
keyisgeneratedwithinthesecureenvironmentoftheTrustedPlatformModuleandneverisexposedto
thesystem.TheauthorizationtoleveragethekeyisderivedthroughtheWindowsAdministratoraccount
duringtheTPM_TakeOwnershipcommand.IfthesystemisleveragingaClientSecuritypassphrase,thenthe
ClientSecuritypassphrasefortheClientSecuritySolutionAdministratorwillbetheTrustedPlatformModule
authorization,otherwiseitwillbetheClientSecuritySolutionAdministratorsWindowspassword.
WiththeSRKcreatedforthesystem,otherkeypairscanbecreatedandstoredoutsideoftheTrusted
PlatformModule,butwrappedorprotectedbythehardware-basedkeys.SincetheTrustedPlatform
Module,whichincludestheSRKishardwareandhardwarecanbedamaged,arecoverymechanismis
neededtomakesuredamagetothesystemdoesnotpreventdatarecovery.
Inordertorecoverasystem,aSystemBaseKeyiscreated.ThisasymmetricstoragekeyenablestheClient
SecuritySolutionAdministratortorecoverfromasystemboardswaporplannedmigrationtoanother
system.InordertoprotecttheSystemBaseKey,butallowittobeaccessibleduringnormaloperationor
recovery,twoinstancesofthekeyiscreatedandprotectedbytwodifferentmethods.First,theSystem
BaseKeyisencryptedwithanAESSymmetricKeythatisderivedfromknowingtheClientSecuritySolution
Administrator'spasswordorClientSecuritypassphrase.ThiscopyoftheClientSecuritySolutionRecovery
KeyissolelyforthepurposeofrecoveringfromaclearedTrustedPlatformModuleorreplacedsystemboard
becauseofhardwarefailure.
ThesecondinstanceoftheClientSecuritySolutionRecoveryKeyiswrappedbytheSRKtoimportittothe
keyhierarchy.ThisdoubleinstanceoftheSystemBaseKeyallowstheTrustedPlatformModuletoprotect
secretsboundtoitbelowinnormalusageandallowsforarecoveryofafailedsystemboardthroughthe
SystemBaseKeythatisencryptedwithanAESKeyunlockedbytheClientSecuritySolutionAdministrator
passwordorClientSecuritypassphrase.Next,aSystemLeafKeyiscreated.Thiskeyiscreatedtoprotect
systemlevelsecretssuchastheAESKey.
18ClientSecuritySolution8.21DeploymentGuide
Seitenansicht 23
1 2 ... 19 20 21 22 23 24 25 26 27 28 29 ... 85 86

Kommentare zu diesen Handbüchern

Keine Kommentare