|
Infineon Security Platform Solution - Policy Administration |
Infineon Security Platform System Policies
The following computer policy settings are supported by the Infineon Security Platform Solution Software.
 |
In server mode the System Policies are configured domain-wide by a domain administrator via Trusted Computing Management Server. Note that settings which are valid only for server mode are described in the administrative template file provided by Trusted Computing Management Server. |
|
Default Value: If a policy has not yet been set before explicitly (i.e. the Local Group Policy Editor displays the state Not Configured), then the Security Platform Solution Software implicitly applies a default value. |
All Versions Settings
Settings that are valid for both stand-alone mode version and server mode version.| Policy | Explanation | Default Value |
| Prepare TPM enrollment | Enabled: On not initialized platforms which have a disabled Trusted Platform Module and support the Physical Presence Interface (PPI), the Trusted Platform Module is automatically prepared to be enabled. The users will be guided to complete the enabling. Disabled: The Trusted Platform Module is not prepared to be enabled automatically. |
Disabled |
| Allow Administrators to use platform keys remotely | Enabled: An administrator can use platform keys not only locally but also remotely. Disabled: Using platform keys remotely is not allowed. For privacy issues, the access to these keys is restricted as discussed within the Trusted Computing Group (TCG). This way all keys which would allow an identification of your Security Platform are hidden for remote access. This policy requires that all involved computers are members of trusted domains. It is only relevant for operating systems that support domain membership.
|
Disabled |
| Allow reading of unprotected TPM NV memory | Determines who may read unprotected Non-Volatile (NV) memory stored in a Trusted Platform Module 1.2. The NV memory may contain sensitive data. Enabled: Specify whether only local administrators, local and remote administrators, all local users or all users may read unprotected NV data. Disabled: No user may read unprotected NV data.
Note that the Security Platform administration and operation is not restricted by this setting. |
Enabled/Local administrators |
| Configure dictionary attack threshold | Determines the number of allowed
Trusted Platform Module authentication attempts, before dictionary
attack defending measures are taken. Enabled: Specify how many authentication attempts should be allowed for keys (e.g. used for Security Platform User authentication), owner, and for the access of sealed data (e.g. used by Windows BitLocker in combination with PIN), before dictionary attack defending measures are taken. Disabled: The dictionary attack threshold cannot be configured. The default values are in effect.
|
Enabled Owner: 3 attempts Key: 5 attempts Data: 10 attempts |
| Enable stringent password field security | Enabled: The ability to cut, copy, paste and see secret data (e.g. passwords or secrets) in clear text is not available. Disabled: The ability to paste is available. Additionally cut and copy operation is available when secret data (e.g. passwords or secrets) is visible in clear text. |
Disabled |
| Purge Keys when entering energy-saving states | Enabled: Security
Platform keys are purged, before the computer enters one of the
energy-saving states standby (S3) or hibernation (S4). Thus the security
level during energy-saving state will be raised. After coming back from
the energy-saving state, Security Platform Features will require a user
authentication again. |
Enabled |
| Enhanced Authentication providers | Enabled: Enter an Enhanced Authentication provider class ID (CLSID), or multiple CLSIDs separated by semicolons. |
In server mode, same behavior as if disabled. In stand-alone mode, same behavior as in former product versions, i.e. installed providers can be used. |
| Allow Administrators to take ownership remotely | Enabled: An administrator
is not required to be present locally when taking ownership on a
computer. This functionality may be especially useful when performing
setup of the clients in large networks. Disabled: Taking ownership remotely is not allowed.
|
Disabled |
| Allow Administrators to retrieve the SRK public key remotely |
Determines who may read the Storage Root Key's (SRK) public key stored in a Trusted Platform Module. The SRK public key requires particular protection, since the Security Platform can be identified by it. Enabled: An administrator can retrieve the SRK public key not only locally but also remotely. Disabled: Retrieving the SRK public key remotely is not allowed.
|
Disabled |
Stand-alone mode Version Settings
Settings that are valid only for the stand-alone mode version.| Policy | Explanation | Default Value |
| Owner Password - Minimum password length | Enabled: Enter the desired minimum Owner Password length, e.g.
6. The minimum password length is valid for Owner Passwords which are set or changed subsequently. Disabled: The minimum password length is 6 characters.
|
Enabled, 6 characters |
| Owner Password - Password must meet complexity requirements | Enabled: Password complexity requirements are enforced for Owner Passwords which are set or changed subsequently. Disabled: No password complexity requirements are enforced. This
setting applies only for Owner Passwords set on a stand-alone Security
Platform. The complexity requirements for Owner Passwords set via Trusted Computing Management Server are set by the Trusted Computing Management Server policy with the same name.
Details on Password Complexity |
Disabled |
| Allow Platform Enrollment | Enabled/Allow Management Provider and Wizard: Platforms can be initialized via Management Provider interface, Quick Initialization Wizard or Initialization Wizard. Enabled/Allow Management Provider only: Platforms can be initialized only via Management Provider interface. Disabled: Platforms cannot be initialized. |
Enabled/Allow Management Provider and Wizard |
| Enforce configuration of Backup including Emergency Recovery | Enabled: The configuration of automatic backups (including Emergency Recovery) is mandatory in the Security Platform
Initialization process. If the Security Platform has already been initialized without configuring automatic backups, there is no enforcement to configure automatic backups. Disabled: There is no enforcement to configure automatic backups. Backup can be configured after Security Platform Initialization via Settings Tool - Backup - Configure.... |
Disabled |
| Backup archive location | Enabled: Enter a path including file name, e.g. \\BackupServer\SecurityPlatformShare\SPSystemBackup.xml. This target path will be enforced when the feature Backup is configured. An automatically written Backup Archive consisting of an XML file and a folder with the same name will be created, e.g. file SPSystemBackup.xml and folder SPSystemBackup. If the feature Backup has already been configured, then the existing backup path is kept as long as no re-configuration is performed.
Disabled: The backup target path can be freely specified when the feature Backup is configured. |
Disabled |
| Enforce immediate System Backup | Enabled: The System Backup Archive will be immediately updated after significant changes of Security Platform data.
Disabled: The System Backup Archive will not be immediately updated after significant changes of Security Platform data. If automatic backups are configured and writing access to the System Backup Archive is allowed, the archive will be updated with the next scheduled System Backup. |
Enabled |
| Use public key of Emergency Recovery Token from archive | Enabled: Enter a path including
public key file name, e.g.
\\ServerName\FolderName\FileName.xml. This path will be enforced when Emergency Recovery is configured. If Emergency Recovery has already been configured on a Security Platform PC, this setting will not have any effect for this PC.
Disabled: The Emergency Recovery Token can be created or selected when Emergency Recovery is configured. Details on Emergency Recovery configurationHow to create a public key archive file from a token file |
Disabled |
| Enforce configuration of Password Reset | Enabled: The configuration of Password Reset is mandatory in the Security Platform
Initialization process. If the Security Platform has already been initialized without configuring Password Reset, there is no enforcement to configure Password Reset. Disabled: There is no enforcement to configure Password Reset. Password Reset can be configured after Security Platform Initialization via Settings Tool - Password Reset - Configure.... |
Disabled |
| Use public key of Password Reset Token from archive | Enabled: Enter a path including
public key file name, e.g.
\\ServerName\FolderName\FileName.xml. This path will be enforced when Password Reset is configured. If Password Reset has already been configured on a Security Platform PC, this setting will not have any effect for this PC.
Disabled: The Password Reset Token can be created or selected when Password Reset is configured. Details on Password Reset configurationHow to create a public key archive file from a token file |
Disabled |
Previous Product Versions Settings
Settings that are valid only for previous product versions.| Policy | Explanation | Default Value |
| File location for Emergency Recovery Archive | This setting is only relevant for older versions of the Security Platform Solution Software. In older versions, the file location for the Emergency Recovery Archive could be set explicitly during Security Platform Initialization. With this policy, the file location could be enforced. In the current version, the file location is set automatically. |
--- |
| URL to start from wizard for certificate enrollment | See user policies. |
Disabled |
©Infineon Technologies AG