IBM/Lenovo ThinkVantage Client Security Software 5.43 For Microsoft Windows XP with Service Pack 1 or higher; or Windows 2000 with Service Pack 3 or higher 10/20/05 Disk space needed: 16,175,488 ====================================================================== SYSTEM REQUIREMENTS AND PREREQUISITES ---------------------------------------------------------------------- - This package requires the following additional package(s): Note: If you are using a ThinkPad, NetVista or ThinkCentre computer with a security chip that is not TCG-compliant, you must use Client Security Software 5.3. Client Security Software 5.43 will not install successfully on these computers. Note: If you are using a ThinkPad, NetVista, or ThinkCentre computer with release Client Security 6.0 Solution already installed, Client Security Software 5.43 will not install. Required software versions to use with this release =================================================== - IBM Password Manager Release 1.4 - IBM File and Folder Encryption Release 2.10 CSS 5.43: Supported GINAs ========================= - IBM Access Connections GINA (qcongina.dll) - Utimaco SafeGuard Easy GINA (sslogon.dll) - Atheros Wireless GINA (athgina.dll) - Intel Wireless GINA (iWPDGina.dll) WHAT THIS PACKAGE DOES ---------------------------------------------------------------------- IBM Client Security Software can only be used with IBM computers that contain the IBM Embedded Security Subsystem. This software consists of applications and components that enable IBM clients to secure their sensitive information through a secure hardware chip rather than through vulnerable software. Before client user information can be protected, IBM Client Security Software must be installed on the client and users must be authorized to use the software. An easy-to-use Setup Wizard guides you through the entire installation process. WARNING: At least one client user MUST be authorized to use UVM during setup. If NO user is authorized to use UVM when initially setting up Client Security Software, your security settings will NOT be applied and your information will NOT be protected. If you completed the Setup Wizard without authorizing any users, shut down and restart your system; then run the Client Security Setup Wizard from the Windows Start menu and authorize a Windows user to use UVM. This will enable IBM Client Security Software to apply your security settings and protect your sensitive information. SYSTEMS SUPPORTED ---------------------------------------------------------------------- The following is a list of non-TCPA systems that will not support this TCPA compliant software: ThinkPad A30, A31*, R30, R31, T20, T21, T22, T23, X20, X21, X22, X23, X24 NetVista (type 2273, 2283, 2292, 6043, 6059, 6274, 6343, 6349, 6350, 6569, 6579, 6596, 6599, 6646, 6647, 6648, 6649, 6650, 6790, 6791, 6792, 6793, 6794, 6795, 6823, 6825, 6841) IBM PC300PL (type 6565, 6566, 6584, 6594, 6595) Note: *Some ThinkPad A31 and A31p systems only support CSS version 5.3. To determine which Thinkpad A31 system you have press F1 during startup when the IBM logo is displayed. The initial BIOS screen will display the BIOS version. LANGUAGES SUPPORTED ---------------------------------------------------------------------- The following languages are supported: US, IT, SP, GR, FR, JP SC RELEASED VERSIONS ---------------------------------------------------------------------- Version 5.43 Fixed multiple problems HISTORY OF CHANGES ---------------------------------------------------------------------- 5.43 - Added a new SMBUS device-driver. - Added a new message, which is displayed when the chip is disabled in a tri-state BIOS. New message reads: "The security chip installed on this system is disabled. To proceed with this installation, click OK, restart the computer, press F1 during startup to enter the BIOS Setup utility and then enable the security chip." - Updated the Advanced and Typical mode dialogs. - Improved the response time when starting the Client Security application and the Administrator Utility. - Prohibited a remote desktop shutdown when Client Security is running. - Improved the password or passphrase handling during an update action. - Updated the limited user error messaging during installation. - Incorporated translation updates. - Corrected a "2d" failure on first logon after wake from standby. INSTALLATION INSTRUCTIONS ----------------------------------------------------------------------- DETERMINING WHICH VERSION IS INSTALLED: INSTALL:To install this update, double-click on the z046zis2173xxaa.exe file. where xx is the language identifier UNINSTALL: Remove through Add/Remove programs UNATTENDED INSTALL(For ): To install this update silently, use the following command: z046zis2173xxsaa.exe /s where xx is the language identifier SPECIAL INTEROPERABILITY NOTICES ----------------------------------------------------------------------- LIMITATIONS/CONSIDERATIONS ----------------------------------------------------------------------- Security Chip must be reset when going from CSS 6.0 to CSS 5.43 If you had Client Security Solution 6.0 installed at some point and have uninstalled it to install Client Security Software 5.43 the security chip will need to be cleared - Multiple administrator users cannot unlock a computer using fingerprint or smart card authentication only When the security policy does not require the UVM passphrase for authentication (i.e., when the security policy requires fingerprint or smart card authentication only), only the active administrator user can unlock the computer. If you want to be able to switch administrator users while the system is locked, passphrase authentication must be enabled. - Passphrase problems possible after a restore operation Backup-and-restore utilities, such as IBM Rescue and Recovery, might cause password synchronization problems after completing a restore operation. Synchronization problems will result after restoring the computer to a backup taken prior to when the passphrase was changed. The described operation will result in the restored passphrase being out of synchronization with the passphrase stored in the security subsystem. When the computer is in this state, users cannot be added and the policy cannot be changed. To resolve this situation, clear the security chip and then use the restored password (the password used when the backup was taken) to re-synchronize Client Security Software and the security chip. This known limitation is caused by the inability of a backup-and-restore utility to back up the state of the security chip. - Limited users are unable to uninstall the File and Folder Encryption utility (FFE) Limited users will not be able to uninstall FFE even though the button to uninstall FFE looks enabled. Administrator privileges are required to uninstall FFE. - Other utilities might be confused with IBM Client Security Password Manager Users might be presented with a different Password Manager interface even after installing IBM Client Security Password Manager. Both Netscape and Microsoft support a software-based password manager for use with their browsers. These utilities should not be confused with the hardware-based IBM Client Security Password Manager. - Multiple fingerprint readers are not supported Client Security Software 5.43 does not support more than one fingerprint software on one computer at the same time. To use a different fingerprint reader, the current fingerprint software must be uninstalled. - Wireless network connection fails after transferring a user certificate Leaving the passphrase dialog open without entering a passphrase for an extended period might cause your wireless network connection to fail. If this occurs, disable and re-enable your wireless adapter after authenticating to IBM User Verification Manager (UVM). - Simultaneous right-click encryption attempts might fail Attempting to encrypt multiple files at once using the right-click button might cause the encryption to fail. This is most likely to happen if the first file is very large. If this occurs, use the right-click button to encrypt the files individually. - Fingerprint or smart card override passwords for limited users When an administrator updates a user fingerprint or smart card override password using the Administrator Console, an updated file is generated and placed in the user archive directory. The end user must then copy this updated file from the archive into the correct directory on the system. The usual means for doing this is to select Restore user configuration from archive in the User Configuration Utility. However, this option is only available to users with administrator privileges on the computer. Limited users are not be able to retrieve an updated override password. Limited users must have an administrator manually copy the appropriate file to the Windows directory on the system. - Guest users cannot use the File and Folder Encryption or Password Manager utilities The File and Folder Encryption or Password Manager utilities do not permit access to a guest user even though the guest user account is displayed in the Administrator Utility. - Using a CSS roaming server The CSS administrator password prompt will display whenever someone attempts to log on to the CSS roaming server. However, the computer can be used normally without entering this password. - Using the IBM Client Security Password Manager in a roaming environment Passwords stored on one system using IBM Client Security Password Manager can be used on other systems within the roaming environment. New entries are automatically retrieved from the archive when the user logs onto another system (if the archive is available) in the roaming network. Therefore, if a user is already logged onto one system, he must log off and log on again before any new entries will be available on the roaming network. - Internet Explorer certificate and roaming refresh delays Internet Explorer certificates are refreshed in the archive every 20 seconds. When a new Internet Explorer certificate is generated by a roaming user, the user must wait at least 20 seconds before importing, restoring, or changing his CSS configuration on another system. Attempting any of these actions before the 20 second refresh interval will cause the certificate to be lost. Also, if the user was not connected to the archive when the certificate was generated, the user should wait 20 seconds after connecting to the archive to be sure the certificate is updated in the archive. - Lotus Notes password and credential roaming If Lotus Notes support is enabled, users' Lotus Notes password will be stored by UVM. Users will not need to enter their Notes password to log on to Lotus Notes. They will be asked for their UVM passphrase, fingerprint, smart card, etc. (depending on the security policy settings) to gain access to Lotus Notes. If a user changes his Notes password from within Lotus Notes, the Lotus Notes ID file is updated with the new password and UVM's copy of the new Notes password is also updated. In a roaming environment, the user's UVM credentials will be available on other systems on the roaming network that the user can access. It is possible that UVM's copy of the Notes password might not match the Notes password in the ID file on other systems in the roaming network if the Notes ID file with the updated password is not also available on the other system. If this occurs, the user will not be able to access Lotus Notes. If a user's Notes ID file with updated password is not also available on another system, the updated Notes ID file should be copied to the other systems in the roaming network so that the password in the ID file will match the copy stored by UVM. Alternately, users can run Modify Your Security Settings from the Start Menu, and change the Notes password back to the old value. The Notes password can then be updated again via Lotus Notes. - Credential availability at logon in a roaming environment When an archive is located on a network share, the latest sets of user credentials are downloaded from the archive as soon as the user has access to the archive. At logon, users do not yet have access to network shares, so the latest credentials might not be downloaded until after system logon is complete. For example, if the UVM passphrase was changed on another system in the roaming network, or new fingerprints were registered on another system, those updates will not be available until the logon process is complete. If updated user credentials are not available, users should try the previous passphrase or other registered fingers to log on to the system. After log on is complete, the user's updated credentials will be available and the new passphrase and fingerprints will be registered with UVM. - Using Netscape in a roaming environment If you are using Netscape in a roaming environment, all systems in the roaming network must use the same version of Netscape. Credentials cannot be used on different versions, such as 4.8 and 7.1 - Restoring keys After performing a key restore operation, you must restart the computer before you can continue using Client Security Software. - Local and domain user names If domain and local user names are the same, you should use the same Windows password for both accounts. IBM User Verification Manager only stores one Windows password per ID, so users should use the same password for local and domain logon. If not, they will be prompted to update the IBM UVM Windows password when they switch between local and domain logons when IBM UVM secure Windows logon replacement is enabled. CSS does not provide the ability to enroll separate domain and local users with the same account name. If you attempt to enroll local and domain users with the same ID, the following message is displayed: The selected user ID has already been configured. CSS does not allow separate enrolling of common domain and local user ID's on one system so that the common user ID will have access to the same set of credentials, like certificates, stored fingerprints, etc. - Re-installing Targus fingerprint software If the Targus fingerprint software is removed and re-installed, the needed registry entries for enabling fingerprint support in Client Security Software must be added manually for fingerprint support to be enabled. Download the registry file that contains the needed entries (atplugin.reg) and double-click it to have the registry entries merged into the registry. Click Yes, when prompted, to confirm this operation. The system must be rebooted for Client Security Software to recognize the changes and enable fingerprint support. Note: You must have administrator privileges on the system in order to add these registry entries. - Targus USB fingerprint reader If you change the port that the Targus USB fingerprint reader is connected to, the IBM User Verification Manager might experience problems recognizing user fingerprints. If this occurs, switch the USB reader back to the port it was originally attached to. - BIOS supervisor passphrase IBM Client Security Software 5.3 and earlier does not support the BIOS supervisor passphrase feature available on some ThinkPad systems. If you enable use of the BIOS Supervisor Passphrase, any enabling and disabling of the security chip must be done from BIOS Setup. The IBM Embedded Security Subsystem will not be enabled during interactive installation when a BIOS supervisor password has been set. - Using Netscape 7.x Netscape 7.x behaves differently from Netscape 4.x. The passphrase prompt does not appear as soon as Netscape is started. Rather, the PKCS#11 module is only loaded when needed, so that the passphrase prompt only appears when performing an operation that requires the PKCS#11 module. - Using a diskette for archiving If you specify a diskette as your archive location when configuring the security software, long delays will be experienced as the configuration process writes data to the diskette. Some other medium, such as a network share or a USB key, might be a superior archive location. - Registering smart cards Smart cards must be registered with UVM before a user can successfully authenticate using the card. If one card is assigned to multiple users, only the last user to register the card will be able to use the card. Consequently, smart cards should be registered for one user account only. - Authenticating with smart cards If a smart card is required for authentication, UVM will display a dialog requesting the smart card. When the smart card is inserted in the reader, a dialog requesting the smart card PIN will be displayed. If the user enters an incorrect PIN, UVM will request the smart card again. The smart card must be removed and re-inserted before the PIN can be re-entered. Users must continue to remove and re-insert the smart card until the correct PIN for the card is entered. - The plus (+) character is displayed on folders after encryption After encrypting files or folders, Windows Explorer might display an extraneous plus (+) character before the folder icon. This extra character will disappear when the Explorer window is refreshed. - File count after right-click encryption When attempting to encrypt multiple files using the right-click encryption function, the operation might fail if any of the files being encrypted are of a prohibited type, such as DLL, VxD, SYS, etc. When the right-click operation fails, the number of files not encrypted displayed in the error window might be incorrect. - Archiving user credentials IBM Client Security Software attempts to keep backup information stored in the archive up-to-date by frequently backing up the information on the system into the archive directory (specified during configuration of the security subsystem). If this archive directory is stored on a removable media drive, such as a USB key, or on a network share, the archive directory might not always be available. In the event that CSS cannot access the archive directory, a message prompt will be displayed indicating that the archive is not available. Clicking Cancel will merely cancel the attempt to backup a specific file, and CSS might be attempting to backup multiple files so that the message might be displayed multiple times. In order to avoid having this message displayed repeatedly when the archive is not available, select the Do not show this message again check box. The warning message will not be displayed again. - Windows XP Home limited user limitations Windows XP Home limited users cannot update their UVM passphrase, Windows password, or update their key archive using the User Configuration Utility. - A system POST 190 error might occur when installing a new system board. To clear the POST error, complete the following procedure: 1. Restart your computer. 2. Press F1 to enter the BIOS Setup Utility when prompted. 3. Exit the BIOS Setup Utility. The POST error will be cleared when you exit the BIOS Setup Utility. TRADEMARKS ----------------------------------------------------------------------- * LENOVO and ThinkPad are registered trademarks of LENOVO Corporation. * Microsoft and Windows are registered trademarks of Microsoft Corporation. Other company, product, and service names may be registered trademarks, trademarks or service marks of others. THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IBM DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE AND MERCHANTABILITY WITH RESPECT TO THE INFORMATION IN THIS DOCUMENT. BY FURNISHING THIS DOCUMENT, IBM GRANTS NO LICENSES TO ANY PATENTS OR COPYRIGHTS. (C) Copyright Lenovo 2005. (C) Portions Copyright IBM Corp. 2005. All rights reserved.