Infineon Security Platform User Policies

Infineon Security Platform

Infineon Security Platform Solution - Policy Administration

Infineon Security Platform User Policies

The following user policy settings are supported by the Infineon Security Platform Solution Software.

In server mode the User Policies are configured domain-wide by a domain administrator via Trusted Computing Management Server. Note that settings which are valid only for server mode are described in the administrative template file provided by Trusted Computing Management Server.

Default Value: If a policy has not yet been set before explicitly (i.e. the Local Group Policy Editor displays the state Not Configured), then the Security Platform Solution Software implicitly applies a default value.

All Versions Settings

Settings that are valid for both stand-alone mode version and server mode version.

Policy	Explanation	Default Value
Basic User Password - Minimum password length	Enabled: Enter the desired minimum Basic User Password length, e.g. 6. The minimum password length is valid for Basic User Passwords which are set or changed subsequently. Disabled: The minimum password length is 6 characters. Details on Password Handling	Enabled, 6 characters
Basic User Password - Password must meet complexity requirements	Enabled: Password complexity requirements are enforced for Basic User Passwords which are set or changed subsequently. Disabled: No password complexity requirements are enforced. Details on Password Complexity	Disabled
Basic User Password - Maximum Basic User Password age	Determines the period of time (in days) that a Basic User Password can be used before the system requires the user to change it. Enabled: Maximum Basic User Password age: Enter the desired maximum Basic User Password age, e.g. 42 days. Basic User Password expiration warning: Specify how many days before Basic User Password expiration users shall be notified, e.g. 7 days. Disabled: There is no maximum Basic User Password age, i.e. passwords do not expire.	Disabled
Basic User Passphrase - Minimum passphrase length	Enabled: Enter the desired minimum Basic User Passphrase length, e.g. 20. The minimum passphrase length is valid for Basic User Passphrases which are set or changed subsequently. Disabled: The minimum passphrase length is 20 characters. This policy is only relevant if Enhanced Authentication is used. Details on Enhanced Authentication	Enabled, 20 characters
Basic User Passphrase - Passphrase must meet complexity requirements	Enabled: Complexity requirements are enforced for Basic User Passphrases which are set or changed subsequently. Disabled: No complexity requirements are enforced. This policy is only relevant if Enhanced Authentication is used. Details on Password Complexity Details on Enhanced Authentication	Disabled
Control Quick Initialization	Enabled/Allow: Quick Initialization Wizard or Security Platform Initialization Wizard and User Initialization Wizard can be used to initialize platforms and users. Enabled/Enforce: Quick Initialization Wizard must be used to initialize platforms and/or users. Also available features (EFS, PSD) must be initially configured with Quick Initialization Wizard. Disabled: Quick Initialization Wizard cannot be used to initialize platforms and users. Security Platform Initialization Wizard and User Initialization Wizard must be used instead.	Enabled/Allow
Allow user to temporarily disable the Security Platform Feature	Enabled: The Infineon Security Platform User can switch off the active Security Platform Features until the computer is rebooted the next time. Disabled: The ability to temporarily disable the Infineon Security Platform is not available in the user interface of the Security Platform Solution Software. This policy is only relevant for Security Platforms with an Infineon Trusted Platform Module 1.1. When the user logs off and a different user logs on, the deactivated Security Platform Features remain deactivated until the computer gets rebooted.	Enabled
Allow Secure e-mail configuration	Enabled: The user is allowed to configure the Security Platform Feature Secure e-mail. Disabled: The user cannot configure this feature, but a previous configuration can be used.	Enabled
Allow EFS configuration	Enabled: The user is allowed to configure the Security Platform Feature File and folder encryption with Encrypting File System (EFS). Disabled: The user cannot configure this feature, but a previous configuration can be used. EFS is not supported by Windows Home editions.	Enabled
Allow PSD configuration	Enabled: The user is allowed to configure the Security Platform Feature File and folder encryption with Personal Secure Drive (PSD). Disabled: The user cannot configure this feature, but a previous configuration can be used.	Enabled
Enforce enabling of Password Reset	Enabled: Enabling Password Reset is mandatory in the User Initialization process. If a Security Platform User has already been initialized without enabling Password Reset, there is no enforcement to enable Password Reset. Disabled: There is no enforcement to enable Password Reset. Password Reset can be enabled after User Initialization via Settings Tool - Password Reset - Enable....	Disabled
Enforce Enhanced Authentication	Enabled: Security Platform Users must use Enhanced Authentication (with Basic User Passphrase). Disabled: Security Platform Users can decide whether they want to use Enhanced Authentication (with Basic User Passphrase) or Password Authentication (with Basic User Password). This policy is only relevant, if at least one Authentication Device has been enabled for all users. If a Security Platform User has already been initialized without selecting an authentication device, there is no enforcement to use Enhanced Authentication. Details on Enhanced Authentication	Disabled
Enable caching of Basic User Password	Enabled: The Basic User Password can be cached in the Infineon Security Platform Software, thus reducing the number of required inputs of the password during the current log-on session. This minimizes the number of password prompts for the user. Disabled: The Basic User Password dialog does not offer the ability to temporarily cache the Basic User Password.	Enabled
URL to start from wizard for certificate enrollment	Enabled: This setting specifies the web address that is used by the Infineon Security Platform User Initialization Wizard to retrieve certificates using a web browser. The page to get a certificate is only available in the User Initialization Wizard if this setting is enabled and at least one Security Platform Feature has been selected for configuration. Disabled: The page to get a certificate is not available in the Infineon Security Platform User Initialization Wizard. Notes: This setting is also supported as system policy to be compatible with earlier versions of the Security Platform Solution Software. Recommendation: Use this setting as a user policy. While this setting is independent of the certificate usage, there is also a special user policy for EFS certificates (EFS certificate type and enrollment).	Disabled
EFS certificate type and enrollment	Enabled: You can restrict the EFS certificate type. You can also enable the enrollment of external EFS certificates by specifying the Certification Authority's web address. 1. EFS certificate type: Specify whether you want to allow all certificate types (domain, external and self-signed certificates) or only certain certificate types. This restriction will apply when users are going to enroll or select certificates. Domain certificate: A certificate enrolled via a Certification Authority within your domain. External certificate: A certificate enrolled via an external Certificate Authority accessible by the WWW. Self-Signed certificate: A certificate created on your own PC. 2. Certificate request URL: Enter a CA's certificate request web address to be used for EFS certificate enrollment, e.g. https://www.companyname.com/foldername. This target path will be used when an EFS certificate is requested from an external Certification Authority (CA). The certificate request URL is optional. If you do not specify a path here, users will not be able to request external EFS certificates. If you want to enable external EFS certificates, then enter a valid path which will be accessible to all Security Platform PC's. Otherwise the EFS certificate enrollment will fail. Disabled: The EFS certificate type is not restricted. The web address to be used to retrieve EFS certificates is not set, i.e. users cannot request external EFS certificates. Notes: Note that EFS certificates are not only used for EFS, but also for PSD. While this setting is valid only for EFS certificates (to be used for EFS or PSD), there is also a user policy which is independent of the certificate usage (URL to start from wizard for certificate enrollment). How to enroll and select an EFS certificate	Disabled
EFS certificate expiration warning occurrence	Enabled: Security Platform Users will be notified by a balloon before their EFS certificate expires. Specify when this notification should take place, e.g. 14 days before certificate expiration. Disabled: There is no notification of certificate expiration.	Users are notified 14 days before certification expiration.
EFS self-signed certificates validity period	Enabled: Specify the length of time that self-signed EFS certificates shall be valid. Disabled: The validity period is 10 years.	Enabled with a validity period of 10 years.
File Location for Personal Secure Drive	Enabled/PSD Default Drive: This sets the drive in which the Personal Secure Drive image files will be created. Enter a valid drive letter in the edit field, including a colon but without any additional path (e.g. C:). If the drive letter is invalid, users will not be able to create a Personal Secure Drive image file. Disabled: The user can select the target drive in which the Personal Secure Drive image files will be created.	Disabled
Minimum free space after PSD creation	Enabled: If a PSD is saved on the system drive (where the current operating system is located), then a defined amount of free space has to be left after PSD configuration. Specify how much free space has to be left on the system drive after PSD configuration. Disabled: There is no restriction concerning the free space on the system partition after PSD creation. Example: The policy is enabled and set to 5000 MB. The minimum PSD drive size is 20 MB for Windows 7 and Windows Vista and 10 MB for all other Operating Systems. Assuming the free space before PSD creation is 5050 MB, then the maximum PSD size would be 50 MB. Assuming the free space is 5000 MB, then you cannot create a PSD on the system drive.	The policy is enabled and set to 5000 MB.
Allow Key Import for User	Enabled: Security Platform Users are allowed to import private keys into the Security Platform. Note that private keys are imported along with certificates via Certificate Viewer and Certificate Selection. Disabled: Security Platform Users are not allowed to import private keys into the Security Platform.	Enabled
Enforce strong private key protection for MS-CAPI signing keys	Enabled: All keys used exclusively for signing operations by the MS-CAPI interface are protected by strong private protection. In this case the key is protected by its own password that has to be entered whenever the key is being used for a signing operation. Disabled: Signing keys are not protected in a special form. This specific password can be cached to avoid repetitive input. Since this password is not related to the Basic User Key, the caching mechanism used for the Basic User Password does not affect this password.	Disabled
Creation of non-migratable Basic User Key	Enabled/On demand: Users are prompted to create their non-migratable Basic User Key, when they are going to use Infineon TPM Strong Cryptographic Provider for the first time. Note that the Strong Cryptographic Provider requires a non-migratable Basic User Key. Enabled/Automatic: For new users, the non-migratable Basic User Key is automatically created during user initialization. For users who are already initialized, the non-migratable Basic User Key is created on demand. Disabled: No non-migratable Basic User Key is created, i.e. the Infineon TPM Strong Cryptographic Provider cannot be used.	Enabled/On demand

Stand-alone mode Version Settings

Settings that are valid only for the stand-alone mode version.

Policy

Explanation

Default Value

Backup warning occurrence

Enabled: Security Platform Users will be notified by a balloon, if the backup of user-specific credentials and keys has failed (for example, because the backup location is not accessible). Specify how often this notification should take place, e.g. every 2 days after the backup failure, until the next successful backup.

Disabled: There is no notification of backup failure.

Users are notified daily.

Allow User Enrollment

Enabled/Allow Management Provider and Wizard: Users can be initialized via Management Provider interface, Quick Initialization Wizard or User Initialization Wizard.

Enabled/Allow Management Provider only: Users can be initialized only via Management Provider interface.

Disabled: Users cannot be initialized.

Enabled/Allow Management Provider and Wizard

previous page start next page