SystemLock


SystemLock

1. What is SystemLock	4. Logging on to a system with SystemLock	7. What is Memorybird SystemLock?
2. How does SystemLock work?	5. How to Configure SystemLock
3. Initialization of the SmartCard	6. Removing SystemLock	SystemLock White paper



1.	What is SystemLock?
	SystemLock is preboot authentication using SmartCards - SystemLock provides access protection in the pre-boot phase, before general interfaces and drives are initialized by the system BIOS. Without inserting a SmartCard and PIN, it effectively bars the way into the system during booting, prevents unauthorized access to the system, setup and hard disks. Keyboard inputs or booting from floppy disk, CD-ROM or via the network is also prevented. SystemLock works in combination with a SmartCard reader and a SmartCard. With the SystemLock feature activated, the SCENIC PC can only be started up with a SmartCard initialized for the individual PC and a personal secret number, the Personal Identification Number (PIN). In other words, possession of the SmartCard and knowledge of the PIN are necessary in order to continue the boot process, to start the system and / or to start the BIOS setup. SystemLock therefore delivers a higher level of security than a conventional BIOS password.



2.	How does SystemLock work?
	SystemLock is a pure BIOS function and offers protection against unauthorized access to the PC independent of the installed Operating System. In order to use SystemLock, the function must be enabled in the BIOS (under the security menu). In the PC's pre-boot phase, a SmartCard initialized for this particular PC must be inserted in the SmartCard reader. Once the 4 to 8-digit PIN has been entered, the boot process continues as normal with the initialization of the interfaces and drives. These prompts cannot be bypassed. It is not possible to call the BIOS setup without first entering the PIN. Cracking the BIOS by using a different password is also not possible. The key is stored on the SmartCard, which simultaneously verifies the PIN. The BIOS merely establishes whether a release for booting is validated by the SmartCard and whether the user is authorized to use the PC.


3.	Initialization of the SmartCard
	At the time of first use, following the activation of SystemLock in the BIOS, a number of cards can be initialized for the relevant PC. The first card is always the administrators card. In combination with the administrator PIN, this card has full access rights and should therefore be kept in a safe place. This card can be used to initialize additional system specific cards for the various users of the PC, e.g. for standard users, super users, service or administration purposes. It is also needed to perform administrative functions. The full command set for administration is likewise stored in the BIOS. To prevent access by unauthorized users, a card with ordinary user rights is blocked after three incorrect user PIN entries, or after seven incorrect Personal Unblock Key entries (PUK).


4.	Logging on to a system with SystemLock
	On boot the user is asked to insert their SmartCard. Once this has been inserted, they are asked for their user PIN number. Once the PIN has been entered, a check is made to verify whether the number has been entered correctly, i.e. whether the owner of the SmartCard is authorized to use this PC. Incorrectly entered PINs are rejected, you will get an "access denied" message. After three incorrect entries, the card is blocked and can no longer be used. It can only be unblocked for the user by entering the PUK (Pin Unblock Key). An unauthorized user (ie, wrong SmartCard) is not allowed to access to the PC even if the right PIN is entered. If the correct PIN & Card is validated, the Operating System starts up.


5.	How to Configure SystemLock

(i)	To install SystemLock go into the BIOS(F2) and select the Security menu. Enable Smartcard SystemLock (this is disabled by default) - this will add two further menu options, leave the default selections. Save & Exit the BIOS.
(ii)	On the restart, press F1 (Single PC) when asked to select SystemLock mode (you will then get a message saying "installing SystemLock")
(iii)	You will be asked to insert a smartcard and then to set a New PUK (PIN Unblock Key). The first card you configure is the administrator card (which should be kept in a secure place as this card is used to initialize all other user cards and is also used to unlock blocked cards). Enter a PUK (between 4-8 digits).
(iv)	Next you are asked for the New PIN (this is the number used to gain access to the system and should not be the same as the PUK). When this has successfully been entered you get a New PIN OK message.
(v)	A message then comes up asking whether you want to "initialize another Smartcard or press esc to abort". If you then wish to initialize cards for other users (so that they can log on to this machine) select the option to initialize other cards. Once all cards have been initialized press esc to abort. The machine will now boot into windows. Remember to keep the administrator card safe.
(v)	The next time the PC is booted, you will be asked to insert a SmartCard and then asked for the PIN. Once the SmartCard and PIN have been validated, the system will boot into windows. Note, you are not able to access the BIOS or boot from any removable devices without entering the SmartCard and PIN.


6.	Removing the SystemLock Feature
	You will need the administrator card for this. Turn on the PC. When asked, insert the administrator card. You will be asked for your PIN number (it is not asking you for your PUK ). After entering the PIN number a list of options flashes up very quickly on screen, press F4 (administration). You will now be asked to enter the PUK (this is the number created when you set up SystemLock for the very first time). Another series of options comes up, press F10 (uninstall) to uninstall the SystemLock feature. A warning message will come up: WARNING! - This will uninstall security. ESC=abort, F4=uninstall Press F4, the machine will restart and SystemLock has been successfully removed. You do not need to go back in to the BIOS to disable SystemLock, the BIOS entry will automatically have been reset to disabled by doing the above.


7.	What is Memorybird SystemLock?
	Memorybird SystemLock is similar to SystemLock in that it is a BIOS function that provides protection against unauthorized access to the system independently of the operating system. It differs in that it uses a Fujitsu Memorybird (a USB memorystick) instead of a SmartCard, for authentication. When a Memorybird has been configured for SystemLock, the system cannot be started up unless this same Memorybird is inserted into one of the available USB ports. Fujitsu Memorybird’s have a unique serial number, and it is this serial number that is used for authentication. Therefore, only Fujitsu Memorybirds may be used for the Memorybird SystemLock feature. USB mass storage devices from other vendors are not supported at present, since these are not always guaranteed to have a unique serial number. To enable Memorybird SystemLock, go into the BIOS (F2). Insert your Memorybird and then under the Security Menu, set Memorybird SystemLock to enabled (it will be disabled by default). Save & Exit the BIOS. The feature is now configured. If you now restart your PC without the Memorybird inserted you will get a message stating: Memorybird SystemLock Insert an authorized memorybird [press enter] To remove Memorybird SystemLock, restart the system with the Memorybird inserted. Go into the BIOS and change Memorybird SystemLock back to "Disabled". Save & Exit. The feature has now been uninstalled.