HP Z800 Owners Manual
Have a look at the manual HP Z800 Owners Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
FailSafe Boot Block ROM The FailSafe Boot Block ROM enables system recovery in the unlikely event of a ROM flash failure. For example, if a power failure occurs during a ROM upgrade, the Boot Block uses a flash-protected section of the ROM to verify a valid system ROM flash when power is restored to the workstation. If the system ROM is valid, the workstation starts normally. If the system ROM fails the validation check, the FailSafe Boot Block ROM provides enough support to start the workstation from a BIOS image CD created from a SoftPaq. The BIOS image CD programs the system ROM with a valid image. When Boot Block detects an invalid system ROM, the workstation power LED blinks red eight times and the workstation beeps eight times; then the workstation pauses for two seconds. On some models, a Boot Block recovery mode message appears. In preparation for system recovery, use the BIOS CD media file in the SoftPaq to create a BIOS image CD. Recovering the workstation from Boot Block Recovery mode To recover the workstation after it enters Boot Block recovery mode: 1.If there is media in the diskette or optical disk drives, remove it. 2.Insert a BIOS image CD into the CD drive. You can also use USB media such as an HP DriveKey. 3.Power off, then power on the workstation. If no BIOS image CD or USB is found, you are prompted to insert one and restart the workstation. If a setup password has been established, the Caps Lock light illuminates and you are prompted for the password. 4.Enter the setup password. If the workstation starts from the CD or USB and successfully reprograms the ROM, three keyboard lights illuminate. A rising-tone series of beeps also signals successful recovery. 5.Remove the CD or USB media and power off the workstation. 6.Restart the workstation. ENWWWorkstation management 49
Workstation security This section provides information about providing system security through asset tracking, password security, hard disk drive locking, and chassis locks. This section includes these topics: Topics Asset tracking on page 50 SATA hard disk drive security on page 51 Password security on page 54 Chassis security on page 58 Asset tracking Asset tracking features incorporated into the workstation provide asset tracking data that can be managed using HP Systems Insight Manager (HP SIM), HP CMS, or other systems-management applications. Seamless, automatic integration between asset tracking features and these products enables you to choose the management tool that is best suited to the environment and to leverage investments in existing tools. HP also offers several solutions for controlling access to valuable components and information: ●HP ProtectTools Embedded Security prevents unauthorized access to data, checks system integrity, and authenticates third-party users attempting system access. ●Security features such as ProtectTools and the Side access panel sensor (Smart Cover Sensor) help prevent unauthorized access to the data and to the internal components of the workstation. ●By disabling parallel, serial, or USB ports, or by disabling removable-media boot capability, you can protect valuable data assets. ●Memory Change and Side access panel sensor (Smart Cover Sensor) alerts can be forwarded to system management applications to deliver proactive notification of tampering with a workstation’s internal components. ProtectTools and the Side access panel sensor (Smart Cover Sensor) are available as options on select systems. Use the following utilities to manage security settings on the HP workstation: ●Locally, using the Computer Setup (F10) Utility ●Remotely, using the HP CMS or System SSM, which enables the secure, consistent deployment and control of security settings from a simple command line utility For more information about the Computer Setup (F10) Utility, see The Computer Setup (F10) Utility menu on page 34. The following table and sections refer to the management of workstation security through the Computer Setup (F10) Utility 50 Chapter 4 System management ENWW
Table 4-2 Security features overview FeaturePurposeHow it is established Removable Media Boot ControlPrevents booting from removable media drivesFrom the Computer Setup (F10) Utility menu Serial, Parallel, USB, or Infrared Interface ControlPrevents transfer of data through the integrated serial, parallel, USB, or infrared interfaceFrom the Computer Setup (F10) Utility menu Power-On PasswordPrevents use of the workstation until the password is entered (applies to initial system startup and restarts)From the Computer Setup (F10) Utility menu Setup PasswordPrevents reconfiguration of the workstation (use of the Setup utility) until the password is enteredFrom the Computer Setup (F10) Utility menu Network Server Mode Provides unique security features for workstations used as serversFrom the Computer Setup (F10) Utility menu SATA hard disk drive security HP workstations include the HP DriveLock facility for SATA hard disk drives to prevent unauthorized access to data. WARNING!Enabling DriveLock can render a SATA hard disk drive permanently inaccessible if the master password is lost or forgotten. No method exists to recover the password or access the data. DriveLock has been implemented as an extension to Computer Setup (F10) functions. It is only available when hard disk drives that support the ATA security command set are detected. On HP workstations, it is not available when the SATA emulation mode is RAID+AHCI or RAID. DriveLock is for HP customers for whom data security is a paramount concern. For such customers, the cost of a hard disk drive and the loss of the data stored on it is inconsequential when compared to the damage that could result from unauthorized access to its contents. To balance this level of security with the need to address the issue of a forgotten password, the HP implementation of DriveLock employs a two-password security scheme. One password is intended to be set and used by a system administrator, while the other is typically set and used by the user. No back door can be used to unlock the drive if both passwords are lost. Therefore, DriveLock is most safely used when the data contained on the hard disk drive is replicated on a corporate information system or is regularly backed up. If both DriveLock passwords are lost, the hard disk drive is rendered unusable. For users who do not fit the previously defined customer profile, this might not be acceptable. For users who fit this profile, it might be a tolerable risk, given the nature of the data stored on the hard disk drive. ENWWWorkstation management 51
DriveLock applications The most practical use of DriveLock is in a corporate environment. The system administrator would be responsible for configuring the hard disk drive, which involves setting the DriveLock master password and a temporary user password. If you forget the user password or if the equipment is passed on to another employee, the master password can be used to reset the user password and regain access to the hard disk drive. HP recommends that corporate system administrators who enable DriveLock also establish a corporate policy for setting and maintaining master passwords. This should be done to prevent a situation where an employee sets both DriveLock passwords before leaving the company. In such a scenario, the hard disk drive is unusable and requires replacement. Likewise, by not setting a master password, system administrators might find themselves locked out of a hard disk drive and unable to perform routine checks for unauthorized software, other asset control functions, and support. For users with less stringent security requirements, HP does not recommend enabling DriveLock. Users in this category include personal users, or users who do not maintain sensitive data on their hard disk drives as a common practice. For these users, the potential loss of a hard disk drive resulting from forgetting both passwords is much greater than the value of the data DriveLock protects. Access to Computer Setup (F10) and DriveLock can be restricted through the setup password. By specifying a setup password and not giving it to users, system administrators can restrict users from enabling DriveLock. Using DriveLock When hard disk drives that support the ATA security command set are detected, DriveLock appears under the Security menu in the Computer Setup (F10) menu. You are presented with options to set the master password and to enable DriveLock. You must provide a user password to enable DriveLock. Because the initial configuration of DriveLock is typically performed by a system administrator, a master password should be set first. HP encourages system administrators to set a master password whether they plan to enable DriveLock or not. This gives the administrator the ability to modify DriveLock settings if the drive is locked in the future. After the master password is set, the system administrator can enable DriveLock or leave it disabled. If a locked hard disk drive is present, POST requires a password to unlock the device. If a power-on password is set and it matches the device’s user password, POST does not prompt the user to re-enter the password. Otherwise, the user is prompted to enter a DriveLock password. For a cold start, use the master or user password. For a warm start, enter the same password used to unlock the drive during the preceding cold start. Users have two attempts to enter a correct password. During cold start, if neither attempt succeeds, POST continues but the drive remains inaccessible. During a warm-start or restart from the Windows operating system, if neither attempt succeeds, POST halts and the user is instructed to cycle power. 52 Chapter 4 System management ENWW
Enabling DriveLock To enable and set the DriveLock user password: 1.Power on or restart the workstation. 2.As soon as the workstation is powered on, press and hold F10 until you enter the Computer Setup (F10) Utility. Press Enter to bypass the title screen, if necessary. If you do not press F10 at the appropriate time, you must restart the workstation, and then press and hold F10 again to access the utility. If you are using a PS2 keyboard, you might see a keyboard error message. Disregard it. 3.Select Security>DriveLock Security. 4.For each DriveLock-capable drive, select a drive by pressing F10 to accept. 5.Under Enable/Disable DriveLock options, select Enable, and then press F10 to enable DriveLock for a specific drive. CAUTION:Forgetting the DriveLock password renders the drive unusable. 6.Enter a new user password, and then press F10 to accept. This password may be 1 to 32 characters long. 7.Enter the password again in the Enter New Password Again field. If you forget this password, the drive is rendered permanently disabled. 8.Select File>Save Changes and Exit, and then press F10. After you press F10, the workstation performs a cold start before invoking the DriveLock function. You can also use this process to set the DriveLock master password by selecting Master in Step 5. When the workstation starts, you are prompted to enter the DriveLock password for each DriveLock-capable drive for which you have set a password. You have two attempts to enter the password correctly. If the password is not entered correctly, the workstation attempts to start anyway. However, the boot process most likely fails because data from a locked drive cannot be accessed. In a single drive workstation, if the drive has DriveLock enabled, the workstation might not be able to boot to the operating system, and might try to boot from the network or from another storage device (depending on the boot ordering options). Regardless of the outcome of the start attempts, the drive-locked drive remains inaccessible without the DriveLock password. In a two-drive workstation that has a boot drive and a data drive, you can apply the DriveLock feature to the data drive only. In this case, the workstation can always start, but the data drive is accessible only when the DriveLock password is entered. Cold starts require that you enter DriveLock passwords. However, DriveLock passwords are also required for warm starts. For example, if you boot to DOS and press Ctrl+Alt+Del, you must enter the DriveLock password before the workstation completes the next start cycle. This warm-start behavior is consistent with the DriveLock feature. ENWWWorkstation management 53
Password security The power-on password prevents unauthorized use of the workstation by requiring entry of a password to access applications or data when the workstation is powered on or restarted. The setup password specifically prevents unauthorized access to the Computer Setup (F10) Utility and can also be used as an override to the power-on password. When prompted for the power-on password, entering the setup password instead enables access to the workstation. You can establish a network-wide setup password to enable the system administrator to log in to all network systems to perform maintenance without needing to know the power-on password. Establishing a setup password using Computer Setup (F10) Utility Establishing a setup password through the Computer Setup (F10) Utility prevents reconfiguration of the workstation (through the use of the Computer Setup (F10) Utility) until the password is entered. To establish a setup password using the Computer Setup (F10) menu: 1.Power on or restart the workstation. 2.As soon as the workstation is powered on, press and hold F10 until you enter the Computer Setup (F10) Utility. Press Enter to bypass the title screen, if necessary. If you do not press F10 at the appropriate time, you must restart the workstation, and then press and hold F10 again to access the utility. If you are using a PS/2 keyboard, you might see a keyboard error message. Disregard it. 3.Select Security>Setup Password and then follow the onscreen instructions. 4.Before exiting, select File>Save Changes and Exit. 54 Chapter 4 System management ENWW
Establishing a power-on password using workstation setup Establishing a power-on password through the Computer Setup (F10) Utility prevents access to the workstation when power is connected, unless you specify the password. When a power-on password is set, the Computer Setup (F10) Utility presents Password Options in the Security menu. The password options include Network Server Mode and Password Prompt on Warm Boot. When Network Server Mode is disabled, you must enter the password when the workstation is powered on, when the key icon appears on the monitor. When Password Prompt on Warm Boot is enabled, you must enter the password. The password must also be entered each time the workstation is restarted. When Network Server Mode is enabled, the password prompt is not presented during POST, but an attached PS/2 keyboard remains locked until you enter the power-on password. To enable Network Server Mode, you must set a power-on password. The option to set this password is available under Advanced>Password Options. This option enables the workstation to start without requiring the power-on password, but the keyboard and mouse are locked until you enter the password. The keyboard LEDs rotate constantly when the workstation is in locked mode. To establish a power-on password through the Computer (F10) menu: 1.Power on or restart the workstation. 2.As soon as the workstation is powered on, press and hold F10 until you enter the Computer Setup (F10) Utility. Press Enter to bypass the title screen, if necessary. If you do not press F10 at the appropriate time, you must restart the workstation and then press and hold F10 again to access the utility. If you are using a PS/2 keyboard, you might see a keyboard error message. Disregard it. 3.Select Security>Power-On Password and then follow the onscreen instructions. 4.Before exiting, select File>Save Changes and Exit. Entering a power-on password To enter a power-on password: 1.Restart the workstation. 2.When the key icon appears on the monitor, enter the current password, and then press Enter. Type carefully. For security reasons, the characters you enter do not appear on the screen. If you enter the password incorrectly, a broken key icon appears. Try again. After three unsuccessful tries, you will enter the F10 setup screen with read-only permission. (See the Setup Browse Mode option under the Power-On options.) ENWWWorkstation management 55
Entering a setup password If a setup password has been established on the workstation, you will be prompted to enter it each time you run the Computer Setup (F10) Utility. To enter a setup password: 1.Restart the workstation. 2.As soon as the workstation is powered on, press and hold F10 until you enter the Computer Setup (F10) Utility. Press Enter to bypass the title screen, if necessary. If you do not press F10 at the appropriate time, you must restart the workstation and press and hold F10 again to access the utility. If you are using a PS/2 keyboard, you might see a keyboard error message. Disregard it. 3.When the key icon appears on the monitor, enter the setup password, and press Enter. Type carefully. For security reasons, the characters you enter do not appear on the screen. If you enter the password incorrectly, a broken key icon appears. Try again. After three unsuccessful tries, you must restart the workstation before you can continue. Changing a power-on or setup password To change a power-on or setup password: 1.Restart the workstation. 2.To change the power-on password, go to step 4. 3.To change the setup password, as soon as the workstation is powered on, press and hold F10 until you enter the Computer Setup (F10) Utility. Press Enter to bypass the title screen, if necessary. If you do not press F10 at the appropriate time, you must restart the workstation, and then press and hold the F10 key again to access the utility. If you are using a PS/2 keyboard, you might see a keyboard error message. Disregard it. 4.When the key icon appears, enter the current password, a slash (/) or alternative delimiter character, the new password, another slash (/) or alternative delimiter character, and the new password again as shown: current password/new password/new password For information about the alternative delimiter characters, see National keyboard delimiter characters on page 57. Type carefully. For security reasons, the characters you enter do not appear on the screen. 5.Press Enter. The new password takes effect the next time you power on the workstation. The power-on and setup passwords can also be changed using the Security options in the Computer Setup (F10) Utility. 56 Chapter 4 System management ENWW
Deleting a power-on or setup password To delete a power-on or setup password: 1.Power on or restart the workstation. 2.Choose from the following: ●To delete the power-on password, go to step 4. ●To delete the setup password, as soon as the workstation is powered on, press and hold F10 until you enter the Computer Setup (F10) Utility. Press Enter to bypass the title screen, if necessary. If you do not press F10 at the appropriate time, you must restart the workstation and then press and hold F10 again to access the utility. Use the appropriate operating system shutdown process. 3.When the key icon appears, enter the current password followed by a slash (/) or alternative delimiter character: current password/. For information about the alternative delimiter characters see National keyboard delimiter characters on page 57. 4.Press Enter. National keyboard delimiter characters Each keyboard meets country-specific requirements. The syntax and keys you use for changing or deleting passwords depend on the keyboard included with the workstation. Table 4-3 National keyboard delimiter characters LanguageDelimiterLanguageDelimiterLanguageDelimiter Arabic/Greek-Russian/ Belgian=Hebrew.Slovakian- BHCSY *-Hungarian-Spanish- Brazilian/Italian-Swedish/Finnish/ Chinese/Japanese/Swiss- Czech-Korean/Taiwanese/ Danish-Latin American-Thai/ French!Norwegian-Turkish. French CanadianéPolish-U.K. English/ German - Portuguese - U.S. English / *Bosnia-Herzegovina, Croatia, Slovenia, and Yugoslavia ENWWWorkstation management 57
Clearing passwords If you forget the password, you cannot access the workstation. For instructions about clearing passwords, see Configuring password security and resetting CMOS on page 211. Chassis security Side access panel key lock The side access panel contains a key lock to prevent the panel from being removed. The key is fastened to the workstation rear panel when shipped from the factory. Side access panel sensor (Smart Cover Sensor) (optional) The optional Side access panel sensor is a combination of hardware and software technology that can alert you when the workstation side access panel has been removed (if the sensor has been configured in the Computer Setup (F10) Utility). The three levels of Side access panel sensor protection are shown in the following table: Table 4-4 Side access panel sensor protection levels LevelSettingDescription Level 0DisabledSide access panel sensor * is disabled (default). Level 1Notify UserWhen the workstation restarts, a message appears indicating that the workstation side access panel has been removed. Level 2 Setup Password When the workstation is restarted, a message appears indicating that the workstation side access panel has been removed. You must enter the setup password to continue. *Side access panel sensor settings can be changed using the Computer Setup (F10) Utility. 58 Chapter 4 System management ENWW