HP Compaq NC4010 Specification sheet
HP ProtectTools
Firmware security features in HP business notebooks
Embedded Security Overview ............................................................................................................... 2
Basics of Protection .............................................................................................................................. 2
Protecting against unauthorized access – user authentication ....................................................................3
Pre-boot Authentication on HP Notebooks............................................................................................... 3
Power-on Password authentication overview........................................................................................ 4
Enabling Power-on password......................................................................................................... 4
Smart card authentication overview.................................................................................................... 4
Enabling smart card pre-boot authentication .................................................................................... 4
Embedded security chip pre-boot authentication overview..................................................................... 5
Enabling embedded security chip pre-boot user authentication .............................................................. 5
Protecting local storage ........................................................................................................................ 5
DriveLock hard drive protection ......................................................................................................... 6
TPM enhanced DriveLock .................................................................................................................. 6
Securing Devices ................................................................................................................................. 6
Boot Options ................................................................................................................................... 7
Device Control................................................................................................................................. 7
Accessing BIOS Security Features from Microsoft Windows ...................................................................... 7
Working with BIOS Configuration Profiles......................................................................................... 10
Enabling Profiles ............................................................................................................................ 10
Appendix ......................................................................................................................................... 11
For more information.......................................................................................................................... 12
Embedded Security Overview
A computer system is only as secure as its weakest component. Creating a secure system involves
looking at all areas of vulnerability and creating solutions to address those areas. HP ProtectTools
does that by providing a solution for all points of vulnerability. These include:
•Securing the device
•Securing the network
•Protecting the data
Security solutions installed at the operating system (OS) level can provide a lot of protection against
unauthorized access. In order to truly cover such a broad scope, security has to also be built into the
hardware and firmware. This is referred to as embedded security.
Unlike OS level security software, embedded security features can only be provided by the system
manufacturer. Knowing this, HP has devoted considerable resources into creating a rich set of
embedded security features that work together to enable enhanced security..
This document explores the embedded security features built into HP notebooks.
Basics of Protection
A typical computer system stores sensitive data on a local hard drive, and may also have access to
network resources containing sensitive information. In order to help secure this computer, the
following need to happen:
•Protect against unauthorized access -- This is done to ensure that an unauthorized person does not
access the information stored on a local hard drive, and does not use the computer to gain access
to network resources.
•Protect local storage -- This is done to ensure that information cannot be accessed by simply
removing the hard drive from a secure computer and inserting it into a non-secure computer.
•Secure devices -- This is done to primarily ensure that the computer does not boot using a device
other than the primary hard drive, and access sensitive information by completely bypassing the
operating system authentication.
While these objectives can be achieved by using functionality at the OS level, HP provides embedded
security features that enhance user authentication, data protection and device protection.
2
Embedded La
y
ers of Protection
Protecting against unauthorized access – user
authentication
User authentication on current operating systems is password based. These operating systems
authenticate users and grant access based on the correct entry of a user name and password.
Externally, software tools can enhance this functionality to require devices other than passwords, such
as hardware tokens and biometrics, but the underlying authentication is still password based. This
means that the smart card login software installed to support smart cards forces a user to authenticate
using a smart card, but passes that authentication to the operating system using a password.
This operating system password is stored on the system, and can be manipulated to gain
unauthorized access. Currently, software tools exist that can reset an operating system password,
unlocking the user account.
In order to help protect the user from such an intrusion, another layer of authentication is added. This
authentication is referred to as “pre-boot authentication” and occurs immediately after turning on the
computer and before the operating system is allowed to load.
Pre-boot Authentication on HP Notebooks
Pre-boot authentication requiring passwords has been available on computers for some time. HP has
now expanded this functionality to allow authentication via other devices. This allows users to use the
same device for pre-boot as well as operating system level authentication, making the process easy
and convenient for authorized users.
HP nc series business notebooks feature support for three types of authentication at boot-up:
1. Power-on password – the user is required to enter a password on boot
2. Smart card authentication – the user is required to present the correct smart card and PIN on boot
3. Embedded security chip authentication – the user is required to enter their basic user key pass
phrase on boot
All three of these features provide layers of protection against unauthorized access to the notebook
including attacks that take advantage of the ability to boot to a device other than the primary hard
drive.
3
Power-on Password authentication overview
Pre-boot power-on authentication is a simple but effective implementation of pre-boot security and has
been available on computers for some time. In their simplest form, power-on passwords require a
user to enter a password that gets stored in the system’s non-volatile memory. At power-on, the
system prompts the user for the stored password and allows the boot process to continue if the correct
password is entered.
If an incorrect password is entered three times, no further retries are permitted until the system is
powered down and restarted. This feature further protects the system from unauthorized access by
forcing the password to be entered manually.
If care is taken to choose a strong password, power-on passwords are an effective way to enhance
system security and help protect systems against unauthorized access.
The drawback to power-on passwords is that typically a computer can only have one. This means
power-on passwords are effective only on single user systems.
Enabling Power-on password
Power-on password can be enabled via BIOS configuration by pressing F10 at startup. It can also
be enabled via the BIOS configuration utility for HP ProtectTools. To enable, enter BIOS Setup, and
from the Security menu, select Power-On Password.
In the BIOS configuration module for HP ProtectTools, power-on password can be enabled by setting
Power-on Password from the Passwords page.
Best Practice
To ensure that the power -on password cannot be easily guessed,
passwords should be created using established guidelines, and personal
information should never be used as a password.
Smart card authentication overview
The ability to use a smart card for pre-boot authentication is an HP professional innovation. This
feature adds the security of multifactor authentication to pre-boot security and gives the added
convenience of having to remember only the PIN.
Smart card authentication works by storing the BIOS pre-boot password on the smart card. At pre-
boot, once the smart card is inserted and the correct PIN has been entered, the BIOS password is
released, and the boot process then continues.
Since the user has to enter a PIN only the system administrators have the freedom to create extremely
strong BIOS passwords, making unauthorized access even more difficult while at the same time
making authorized access simpler.
With smart card pre-boot authentication, multi-user access becomes possible. While the same power-
on password is stored on every smart card, each smart card is unique, with a unique user name and
unique PIN.
Enabling smart card pre-boot authentication
Enabling smart card pre-boot authentication is a two step process.
1. Smart card power-on support should be enabled. This can be done either in the BIOS setup by
pressing F10 at start up, or via the BIOS configuration module for HP ProtectTools. To
enable, enter BIOS setup and from the Security menu, select and then enable Smart Card
Security.
4
2. The BIOS password should be stored on the smart card. This is done via the HP ProtectTools smart
card security module. To complete this step, select the BIOS tab on the smart card security
module and enable smart card security. If the card has not already been initialized, HP
ProtectTools smart card security will automatically walk the user through card initialization.
Best Practice
In order to use smart card pre-boot security, it is best to create both an
administrator card and a user card. The administrator card should be kept
in a safe location away from the computer, and the user card should be
used for daily access. This will allow user access if the user card is lost or
stolen, and the administrator card can be used to create another user card.
Embedded security chip pre-boot authentication overview
Embedded security chip pre-boot authentication is a user authentication mechanism that utilizes the
trusted platform module, or embedded security chip to authenticate the user prior to allowing the
system to boot. The BIOS administrator must enable the use of the feature through a BIOS
configuration utility – F10 Setup accessed in the pre-boot environment or through the HP ProtectTools
Security Manager application. When enabled, the user is prompted for the embedded security chip
basic user key password at boot-up and the embedded security chip validates what the user enters. If
the authentication succeeds, the BIOS continues to boot the operating system. Otherwise, it may
allow several more retries but ultimately shuts down or halts the system when all allowed retries are
exhausted.
Embedded security chip pre-boot enhances system security in a number of respects:
•Using the same embedded security chip basic user key password to boot the system, as well as to
access security features at the application level. This provides the benefits of user authentication in
the pre-boot environment without requiring the user to remember and additional password
(assuming that the user is using the embedded security chip for other applications).
•Protecting the password with embedded security chip hardware and eliminating the need to save
the password in the BIOS flash for comparison. With embedded security chip pre-boot
authentication, an encrypted version of the basic user key password is stored, and this password
can only be decrypted by the TPM used to encrypt it, effectively tying the password to the system.
Enabling embedded security chip pre-boot user authentication
Similar to smart card pre-boot setup, the TPM pre-boot setup is also a two step process.
1. Before the TPM can be used for pre-boot authentication, ownership has to be established, which
involves initializing the TPM and creating an owner password and a basic user password.
TPM initialization is handled by a wizard invoked automatically upon operating system login.
2. After TPM initialization, enabling of embedded security chip pre-boot authentication is controlled
in the BIOS setup, which requires administrator access. This new setting is added as a field
in F10 setup under the Embedded Security menu. It is also accessible through the HP
ProtectTools Security Manager application, again requiring the BIOS administrator password.
Protecting local storage
One way to bypass strong user authentication is to remove the hard drive from a secure system and
insert it into an un-secure system. By using the primary hard drive from a secure system as a
secondary hard drive on an un-secure system, virtually all data becomes accessible. On an
unprotected hard drive that is.
5
HP notebooks enable a hard drive security feature called DriveLock. DriveLock, if enabled, locks the
hard drive with a password. At power-on, the user is prompted for the DriveLock password. The
hard drive is accessible only after the correct DriveLock password is entered.
DriveLock hard drive protection
DriveLock is not another password that the user has to remember. DriveLock integrates with power-on
password, and if both are the same, the user is required to enter only a single password in order to
unlock the system as well as the hard drive.
The DriveLock password is stored inside the hard drive itself, and cannot be read, it can only be
authenticated against. In practical terms, this means that an unauthorized user does not have any
means to read the DriveLock password stored on a hard drive. In order to unlock the hard drive, the
correct password has to be entered.
A hard drive protected with a drive lock password stays protected even if removed from one system
and inserted into another.
DriveLock can be enabled in BIOS setup by selecting DriveLock Passwords from the Security menu.
This will prompt the user to create a master password and a user password before enabling
DriveLock.
Best Practice
Always select a strong master and user password. Insure that the master
password is different from the user password. In the event that the user
password is lost, the master password can be used to access the hard drive
and to reset the user password.
TPM enhanced DriveLock
A new enhancement to the DriveLock feature is the TPM enhanced DriveLock. TPM enhanced
DriveLock is another HP professional innovation that adds a level of security to the computer without
sacrificing usability for the authorized user.
TPM enhanced DriveLock ties pre-boot embedded security chip authentication to DriveLock by
automatically using a TPM generated 32-character DriveLock user password. This DriveLock user
password is a random number and is not stored anywhere.
At pre-boot, once a user has successfully authenticated to the embedded security chip, the 32-
character DriveLock password is automatically entered and the boot process continues.
For an authorized user, the login process is completely transparent. However, unauthorized access is
now even more difficult due to the randomly generated DriveLock user password.
TPM enhanced DriveLock protection can be enabled in the BIOS setup, in the Security menu. It can
also be enabled in the BIOS configuration for HP ProtectTools in the Security section.
Securing Devices
If a computer is allowed to boot from a device other than the primary hard drive, the user
authentication built into the operating system can easily be bypassed. HP Notebooks provide very
sophisticated functionality that gives users control over multi-boot capability and boot order, in
addition to control over individual ports.
The device security features of the BIOS are split into two categories.
1. Controlling boot order and boot devices
6
2. Enable / Disable devices
Boot Options
Allows users the ability to control multiboot, which is the user’s ability to choose boot order. Boot
order can be prioritized among the following devices:
a. hard drive (primary, secondary)
b. diskette drive
c. optical drive
d. USB storage devices (hard drive, diskette drive, optical drive)
e. network
The BIOS can provide finer control over the ability to boot by giving users the ability to
enable/disable boot from the following devices:
a. optical device
b. diskette drive
c. network boot
Best Practice
If there is no regular need to boot from devices other than the primary hard
drive, then the system should be configured to not allow booting from the
optical drive, diskette drive or the network.
Device Control
Device control options are intended to give users control over the computer’s external ports.
Disabling an external port helps insure that the port isn’t used by unauthorized users to transfer
sensitive information from the client system, nor is it used to gain unauthorized access to the client
system.
Device disabling options can be access in BIOS setup, as well as the BIOS configuration module for
HP ProtectTools, where the following ports can be disabled.
a. serial port
b. infrared port
c. parallel port
d. SD slot
Accessing BIOS Security Features from Microsoft Windows
Security features serve their purpose only if used as intended. For this reason, usability is extremely
important in order to have a secure system. If computer security is easy to use and does not interfere
with a user’s ability to be productive, users will not try to bypass it.
This insight is behind the HP ProtectTools focus on usability, and the primary focus of the BIOS
configuration for HP ProtectTools module. All security features provided by the BIOS configuration
module are available in the BIOS setup. However, the BIOS configuration module makes these
features available directly from within Windows.
With BIOS Configuration for HP ProtectTools, authorized users can get access to power-on user and
administrator password management, and they can configure pre-boot authentication features, such
as smart card, power-on password and the embedded security chip.
7
BIOS configuration for HP ProtectTools
With BIOS Configuration for HP ProtectTools, authorized users can:
•Manage power-on user and administrator passwords
•Configure pre-boot authentication features such as smart cards, power -on passwords, and
DriveLock
•Configure the ability to boot to devices other than the primary hard drive
8
Table 1 -- BIOS Configuration for HP ProtectTools features and benefits
Feature Benefit
Works with HP ProtectTools Security Manager User interface is fully integrated into the HP ProtectTools
Security Manager.
Provides access to BIOS security and configuration features
from within the operating system
Provides an easier to use alternative to the pre-boot BIOS
configuration utility known as (F10 Setup).
Enhanced security feature set that take advantage of other
HP ProtectTools supported security technologies such as
smart cards and embedded security chips
Provides better protection against unauthorized access to
the PC through features that help protect the system from the
moment power is turned on.
Embedded security chip pre-boot authentication requires that
users securely authenticate to the chip prior to allowing the
system to boot, which helps protect against attacks that
exploit the ability to boot to alternative operating system
environments.
Embedded security chip enhanced DriveLock protects a hard
drive from unauthorized access even if removed from a
system without requiring the user to remember any
additional passwords beyond the embedded security chip
user pass phrase.
Working with Smart Card Security for HP ProtectTools, pre-
boot smart card authentication requires users to present their
smart card prior to allowing the system to boot.
Enabling access to BIOS security configuration from within the HP ProtectTools Security Manager
creates an integrated security solution and enables authorized users to control every aspect of security
management from a single application with a common user interface. The following table describes
the key BIOS security features1that become accessible from the HP ProtectTools Security Manager
using the BIOS Configuration Module.
Table 2 - Key BIOS security features made accessible by the BIOS Configuration Module
Feature Description Benefit
Embedded security chip pre-boot
authentication
Utilizes the embedded security chip
for user authentication. Users need to
input the basic user key pass phrase
Helps protect against unauthorized
access to the PC by preventing access
to the computer by booting from a
device other than the primary hard
drive.
Provides security benefits similar to a
power-on password; however, by
allowing the user to use their embedded
security chip pass phrase, users are not
required to remember an additional
password.
Embedded security chip enhanced
DriveLock
Requires a user to authenticate to the
embedded security chip before a
DriveLock protected hard drive can be
accessed. A separate DriveLock
password is not required.
DriveLock helps protect a hard drive
from unauthorized access even if
physically removed from a system.
Allows very strong, random DriveLock
passwords to be automatically set in a
way that is completely transparent to
users (does not require the user to
remember another password)
1Pre-boot authentication features are available on select platforms. Refer to platform specific specifications for more details.
9
Ties a hard drive to a specific system
with a specific embedded security
chip, preventing other systems from
accessing the hard drive if it is
physically removed from the original
system.
Smart card pre-boot authentication Requires a user to insert a smart card
and, optionally, enter a PIN to
authenticate prior to an operating
system being allowed to load
Protects a system from unauthorized
access by requiring a user to insert
their smart card to boot the system.
The same smart card used to
authenticate a user in the pre-boot
environment can also be used with HP
ProtectTools to login into Microsoft®
Windows®XP or Windows 2000.
BIOS Configuration for HP ProtectTools is supported on most HP business notebooks, desktops and
workstations.
Working with BIOS Configuration Profiles
The BIOS Configuration for HP ProtectTools module contains the ability to create and manage
profiles. Profiles allow the administrator to configure the BIOS security settings and save the settings
to a file. This file can then be imported into other computer. Profiles also allow the administrator to
create situation specific security settings, and then load the appropriate profile when needed.
(Example: Create a home profile that uses less stringent security but is convenient to use and a
separate travel profile with more stringent security.)
Enabling Profiles
1. Start the Command Line window by selecting Start\Run and entering “cmd”
2. Type "C:\Program Files\HPQ\HP BIOS Configuration for ProtectTools\Hpqsetup.exe" /p
Hpqsetup command line Switches
/f = Specify INI file path
/k = Specify password for decrypting the INI file created with the HP BIOS
Configuration for ProtectTools
e.g. Hpqsetup.exe /fc:\test.ini /kpassword
/p = displays the "profiles page" on the BIOS security add-in module, which is
hidden by default.
e.g. hpqsetup.exe /p
10
Appendix
The following table lists the BIOS security features mentioned in this whitepaper, and maps those
features on to the supported notebook PC’s.
Notebook
Model
Power-on
Password
DriveLock Power-on
TPM
TPM
Enhanced
DriveLock
Pre-boot
Smartcard
Authentication
BIOS
Configuration
for HP
ProtectTools
tc1100 Y Y N/A N/A N N
nc4000 Y Y N/A N/A N N
nc4010 Y Y Y Y N Y
nc4200 Y Y Y Y Y Y
tc4200 Y Y Y Y Y Y
nc6000 Y Y Y Y N Y
nc61xx Y Y Y Y Y Y
nc6200 Y Y Y Y Y Y
nc8000 Y Y Y Y N Y
nw8000 Y Y Y Y N Y
nc8200 Y Y Y Y Y Y
nx8200 Y Y Y Y Y Y
nw8200 Y Y Y Y Y Y
11
For more information
1. HP ProtectTools Security Manager, Hewlett-Packard Company, 2004
2. HP ProtectTools Embedded Security – the HP Trusted Computing Implementation, Hewlett-Packard
Company, October 2003.
3. HP Embedded Security for ProtectTools - Embedded Security Chip Pre-Boot User Authentication,
Hewlett-Packard Company, January 2005.
4. HP ProtectTools Embedded Security – Expanding Trust Within the Enterprise Computing
Environment, Hewlett-Packard Company, May 2003.
5. ProtectTools Smart Card Security Manager, Hewlett-Packard Company, July 2003.
6. Pearson, Siani, et al, Trusted Computing Platforms: TCPA Technology in Context, Prentice Hall PTR,
July 2002.
© 2005 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. The only warranties for
HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed
as constituting an additional warranty. HP shall not be liable for technical or
editorial errors or omissions contained herein.
4AA0-0697ENW, 06/2005
Other manuals for Compaq NC4010
4
This manual suits for next models
20
Table of contents
Other HP Laptop manuals
HP
HP Nc6400 - Compaq Business Notebook Guide
HP
HP Pavilion dv9000 Manual
HP
HP Presario CQ50-100 - Notebook PC User manual
HP
HP Elite c645 G2 Chromebook Manual
HP
HP 8730w - EliteBook Mobile Workstation Manual
HP
HP Pavilion ZX5001 Parts list manual
HP
HP EliteBook 840 G1 User manual
HP
HP Stream 14 Assembly instructions
HP
HP Pavilion 2159m Manual
HP
HP EliteBook 9470m Manual
