Lenovo ThinkVantage (Client Security Solution 8.21) Bedienungsanleitung Seite 27

  • Herunterladen
  • Zu meinen Handbüchern hinzufügen
  • Drucken
  • Seite
    / 86
  • Inhaltsverzeichnis
  • LESEZEICHEN
  • Bewertet. / 5. Basierend auf Kundenbewertungen
Seitenansicht 26
TheTPMemulationmodecannotbeusedasasecuresubstitutefortheTPM.TheTPMprovidesthe
followingtwokeyprotectionmethodsthataremoresecurethantheTPMemulationmode.
AllkeysusedbytheTPMareprotectedbyauniqueroot-levelkey.Theuniqueroot-levelkeyiscreated
insidetheTPMandcannotbeseenorusedoutsideoftheTPM.IntheTPMemulationmode,the
root-levelkeyisasoftware-basedkeystoredontheharddiskdrive.
AllprivatekeyoperationsareperformedwithintheTPM,sothattheprivatekeymaterialforanykeyis
neverexposedoutsideoftheTPM.IntheTPMemulationmode,allprivatekeyoperationsareperformed
inthesoftware,sothereisnoprotectionoftheprivatekeymaterial.
TheTPMemulationmodeisprimarilyfortheuserwhoislessconcernedaboutthesecurityandmore
concernedaboutthesystemlogonspeed.
Systemboardswap
AsystemboardswapinfersthattheoldSRKtowhichkeyswereboundtoisnolongervalid,andanother
SRKisneeded.ThiscanalsohappeniftheTrustedPlatformModuleisclearedthroughtheBIOS.
TheClientSecuritySolutionAdministratorisrequiredtobindthesystemcredentialstoanewSRK.The
SystemBaseKeywillneedtobedecryptedthroughtheSystemBaseAESProtectionKeyderivedfrom
theClientSecuritySolutionAdministrator’sauthorizationcredentials.
IfaClientSecuritySolutionAdministratorisadomainuserIDandthepasswordforthatuserIDwaschanged
onadifferentmachine;thepasswordthatwaslastusedwhenloggedontothesystemneedingrecovery
willneedtobeknowninordertodecryptSystemBaseKeyforrecovery.Forexample,duringdeployment
aClientSecuritySolutionAdministratoruserIDandpasswordwillbecongured,ifthepasswordforthis
userchangesonadifferentmachine,thentheoriginalpasswordsetduringdeploymentwillbetherequired
authorizationinordertorecoverythesystem.
Followthesestepstoperformthesystemboardswap:
1.ClientSecuritySolutionAdministratorlogsontooperatingsystem.
2.Logon-executedcode(cssplanarswap.exe)recognizesthesecuritychipisdisabledandrequiresreboot
toenable.(ThisstepcanbeavoidedbyenablingthesecuritychipthroughtheBIOS.)
3.Systemisrebootedandsecuritychipisenabled.
4.TheClientSecuritySolutionAdministratorlogson;thenewTakeOwnershipprocessiscompleted.
5.SystemBaseKeyisdecryptedusingsystembaseAESProtectionKeythatisderivedbytheClient
SecuritySolutionAdministrator’sauthentication.SystemBaseKeyisimportedtothenewSRKand
re-establishestheSystemLeafKeyandallcredentialsprotectedbyit.
6.Thesystemisnowrecovered.
Note:SystemboardswapisnotneededwhenusingEmulationMode.
Chapter3.WorkingwithClientSecuritySolution21
Seitenansicht 26
1 2 ... 22 23 24 25 26 27 28 29 30 31 32 ... 85 86

Kommentare zu diesen Handbüchern

Keine Kommentare