Random Password Manager Enterprise Edition

Transcription

1 Random Password Manager Enterprise Edition

2 i Contents Copyright Notice 4 Introduction 1 Overview...1 Performance Notes...1 License Agreement...1 Limited Warranty...3 Background and Goals...3 Product Installation 5 Installation Requirements...5 Pre-requisite Knowledge...6 Port Requirements...6 MSDE Installation Using the Download Package...7 MSDE Installation Manually...8 Random Password Manager Enterprise Edition Setup...12 Random Password Manager Installation...14 Web Interface Installation 16 Web Application Installation...16 Web Application Installation Advanced Options...17 Web Application Security...17 IIS and ASP Pages...18 COM+ Identity Wrapper...22 COM Components...23 Web Application Authentication and Delegation...25 Delegation Configuration...26 Getting Started 28 Randomizing the Local Administrator Password for Every System in the Domain...28 Schedule a Reoccurring Password Randomization...32 Grant Users of a Windows Group 'Test Group' the Ability to Recover Passwords for the Default Group.34 Recover a Password from a system in the 'Default' Group using the Web Interface...37 Web Interface 40 Login...41 Password Recovery...41 System Status...44 Managing Access...46 View Log...46

3 Copyright Notice ii Program Access...48 Managed Group Access...50 Account Masks...50 Managing Systems 52 Managed Group Dialog...53 Managed Group Dialog Menus...53 System List Columns...55 System Names and Name Resolution...55 Add Systems to Group...57 Add From Domain Systems List...57 Add From Network Browse List...59 Add From Shell Network Browse List...60 Add Systems Manually...61 Add From Active Directory...62 Browse Options...63 Add From IP Scanned Range...64 Import/Export Systems List...65 Connecting to Systems...65 Selecting Systems...65 Refresh Info...65 Setting Managed Group System Ranges...67 Dynamic Group Memberships...68 Dynamic Group Name and Comment...70 Dynamic Group Domains...71 Dynamic Group IP Address Ranges...71 Dynamic Group Active Directory Paths...72 Dynamic Group Data Sources...72 Dynamic Group Explicit Inclusions...73 Dynamic Group Explicit Exclusions...74 Dynamic Group Filter Options...75 Dynamic Group Options...76 Managing Multiple Managed Groups...77 Managing Passwords 78 Overview and Goals...78 Creating a Password Change Job...79 Viewing Stored Passwords...81 Deferred Processing 82 Jobs Monitor...83 Deferred Processor Service...84 Retry Settings...85 Alternate Administrators 86 Administrator Accounts Editor...86 Report Generator 89

4 Copyright Notice iii Report File Output Type...91 HTML Edit Dialog...91 Post-Generation Action Server Settings Overview...93 SMTP Settings: General...94 SMTP Settings: Outgoing Server...95 SMTP Settings: Logging Options...96 Help Information 97 License Keys...97 Registration...99 Database Configuration...99 Logon Info About Program Options 102 Logging Datastore Configuration Application Components Manage Web Application Remote Licensing Index 109

5 4 Copyright Notice Copyright Lieberman Software Corporation. All rights reserved. The software contains proprietary information of Lieberman Software Corporation; it is provided under a license agreement containing restrictions on use and disclosure and is also protected by copyright law. Reverse engineering of the software is prohibited. Due to continued product development this information may change without notice. The information and intellectual property contained herein is confidential between Lieberman Software and the client and remains the exclusive property of Lieberman Software. If you find any problems in the documentation, please report them to us in writing. Lieberman Software does not warrant that this document is error-free. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the prior written permission of Lieberman Software. Microsoft, Windows, Word, Office, SQL Server, Access, MSDE, and MS-DOS are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Lieberman Software Corporation 1900 Avenue of the Stars Suite 425 Los Angeles CA Internet support@liebsoft.com Website:

6 1 Introduction This chapter includes an overview of Random Password Manager Enterprise Edition, what problems it is designed to solve, performance information, expected pre-requisite knowledge, and some background information on Windows. This chapter also includes the license and warranty information for Random Password Manager Enterprise Edition. In This Chapter Overview...1 Performance Notes...1 License Agreement...1 Limited Warranty...3 Background and Goals...3 Overview Random Password Manager Enterprise Edition is designed to randomize and store the passwords for accounts on your systems on a regular reoccurring basis. Because these passwords are stored and managed by the program, they can be retrieved via a delegated web interface. Access to the password store as well as other web interface features can be limited to specific windows groups. Performance Notes Random Password Manager Enterprise Edition is multi-threaded and supports automatic retry for failed systems in an operation. Most operations on a LAN will take about a second to complete, but connections over a WAN may take significantly longer. All scheduled operations and job retries are handled in the background by a deferred processor service. License Agreement This is a legal and binding contract between you, the end user, and Lieberman Software Corporation. By using this software, you agree to be bound by the terms of this agreement. If you do not agree to the terms

7 Introduction 2 of this agreement, you should return the software and documentation, as well as, all accompanying items promptly for a refund. 1. Your Rights: Lieberman Software hereby grants you the right to use Random Password Manager Enterprise Edition to manage the licensed number of systems purchased. This software is licensed for use by a single client and its designated employees, contractors and authorized 3rd parties to manage the systems owned/used by a single client. The software license may not be shared with unrelated 3rd parties. The serial number provided by Lieberman Software is designed for installation on a specific machine. You many install an unlimited number of copies of Random Password Manager Enterprise Edition for your administrators that connect to the single licensed machine. All administrators can share the pool of purchased managed node licenses. There are no limits to the number of web servers or clients that may access the data stored by your licensed copy of Random Password Manager Enterprise Edition. The cost of Microsoft web servers, SSL certificates, and other supporting equipment and technology are the sole responsibility of the user of this software; not Lieberman Software. 2. Copyright. The SOFTWARE is owned by Lieberman Software and is protected by United States copyright law and international treaty provisions. Therefore, you must treat the software like any other copyrighted material (e.g. a book or musical recording) except that you may either (a) make one copy of the SOFTWARE solely for backup and archival purposes, or (b) transfer the SOFTWARE to a single hard disk provided you keep the original solely for backup and archival purposes. The manual is a copyrighted work also--you may not make copies of the manual for any purpose other than the use of the software. 3. Other Restrictions: You may not rent, lease, or transfer the SOFTWARE to any other entity. You may not reverse engineer, de-compile, or disassemble the SOFTWARE that is provided solely as executable programs (EXE files). If the SOFTWARE is an update, any transfer must include the update and all prior versions. 4. Notice: This software contains functionality designed to periodically notify Lieberman Software of demo usage and of the detection of suspected pirated license keys. By using this software, you consent to allow the software to send information to Lieberman Software under these circumstances, and you agree to not hold Lieberman Software responsible for the use of any or all of the information by Lieberman Software or any third party. When used lawfully, this software periodically transmits to us the serial number and network identification information of the machine running the software. No personally identifiable information or usage details are transmitted to us in this case. The program does not contain any spyware or remote control functionality that may be activated remotely by us or any other 3rd party. Lieberman Software Corporation 1900 Avenue of the Stars Suite 425 Los Angeles

8 Introduction 3 CA Internet support@liebsoft.com Website: Limited Warranty The media (optional) and manual that make up this software are warranted by Lieberman Software Corporation to be free of defects in materials and workmanship for a period of 30-days from the date of your purchase. If you notify us within the warranty period of such defects in material and workmanship, we will replace the defective manual or media. The sole remedy for breach of this warranty is limited to replacement of defective materials and/or refund of purchase price and does not include any other kinds of damages. Apart from the foregoing limited warranty, the software programs are provided "AS-IS", without warranty of any kind, either expressed or implied. The entire risk as to the performance of the programs is with the purchaser. Lieberman Software does not warrant that the operation will be uninterrupted or error-free. Lieberman Software assumes no responsibility or liability of any kind for errors in the programs or documentation of/for consequences of any such errors. This agreement is governed by the laws of the State of California. Should you have any questions concerning this Agreement, or if you wish to contact Lieberman Software, please write: Lieberman Software Corporation 1900 Avenue of the Stars Suite 425 Los Angeles CA You can also keep up to date on the latest upgrades via our website at ( or us at: sales@liebsoft.com (mailto:sales@liebsoft.com) Background and Goals The Need for Strong Local Credentials Organizations with a need for the most basic access security should use unique local logon credentials customized for each workstation and server in their environment. Unfortunately, most organizations use common credentials (same user name and password for the built-in administrator account) for each system

9 Introduction 4 for the ease of creating and managing those systems by the IT Department without any concern as to the consequences to the organization should these common credentials be compromised. With the mandates of Sarbane-Oxley, HIPAA, Gramm-Leach-Bliley, California Security Breach Information Acts, NASD 3010, SEC 17a-4, 21 CFR Part 11, DoD and others, the implementation of reasonably hard to compromise local logon credentials is mandatory for most organizations as a means for protecting not only the confidentiality of their data, but also to protect against tampering. Creating Strong Local Credentials Lieberman Software s program: Random Password Manager Enterprise Edition (RPMEE) can change any common account on all workstations and servers in just a few minutes without the need for scripts or any other type of program. The new common credentials can be stored in in a local or remote SQL Server database and can be recovered on demand using RPMEE. Random Password Manager Enterprise Edition can be configured to regularly change the passwords of common accounts on all of your systems (i.e. workstation built-in administrator account) according to a schedule of your choice so that each account receives a fresh cryptographically strong password regularly. This product feature protects the overall security of your organization so that the compromise of a single machine s local administrator password does not lead to the total compromise of your entire organization s security. Delegated Password Recovery Random Password Manager Enterprise Edition also contains a web interface to allow the remote recover of passwords. The web interface is an ASP web application that allows any user with the appropriate group memberships the right to use the application as well as the right to recover passwords for accounts managed by the Random Password Manager Enterprise Edition program. All access to the ASP program as well as all password recoveries are logged and the history is also available via the same web interface to authorized users. Because this application provides extremely sensitive information, it is essential that you pay particular attention to the security settings of the application and also use appropriate encryption such as SSL based on the scope of access provided.

10 5 Product Installation This chapter covers the installation and setup of both the Win32 console application and the web application setup. In This Chapter Installation Requirements...5 Pre-requisite Knowledge...6 Port Requirements...6 MSDE Installation Using the Download Package...7 MSDE Installation Manually...8 Random Password Manager Enterprise Edition Setup...12 Random Password Manager Installation...14 Installation Requirements This program requires Windows NT 4.0, Windows 2000 (NT 5.0, Server or Workstation), Windows XP (NT 5.1), or Windows 2003 (NT 5.2). We recommend at least 128 megabytes of memory and at least 50 megabytes of free disk space. This program also requires access to a SQL Server or MSDE database to store internal data. You can connect to an existing database or create a new database to store data. The construction of the required tables, views, stored procedures, and security roles are handled automatically. MSDE is freely available from Microsoft and can be downloaded from their site directly or found on our site in a convenient installation package. The database can exist on the same system the Win32 application is installed on or can exist on another system. You must have access to the database via a SQL Server login account (Windows Integrated Authentication will not work). The web application component requires Microsoft Internet Information Services (IIS) 5.0 or later or Microsoft Personal Web Server (PWS) with Active Server Page (ASP) server extensions enabled. The web application also requires COM+ to be enabled on the web server. The web server running the web component does not have to be the same system the Win32 application is installed on. If the web application will be installed on a different machine than the Win32 application, the active logon session must have administrative rights on the web server machine during the time of the web application installation. The deferred processor service must be installed and running as an account with administrative rights on the local machine.

11 Product Installation 6 Pre-requisite Knowledge Random Password Manager Enterprise Edition uses a Win32 console application in conjunction with a local service to setup the reoccurring password change jobs. Setting up the web application to allow access through the web interface includes the deployment of several COM objects to either the local or a remote web server as well as the creation of virtual directories for the associated ASP files used in the web interface. Random Password Manager Enterprise Edition also utilizes a SQL Server or MSDE database to store program data. We provide documentation as to the steps needed to setup and maintain Random Password Manager Enterprise Edition. We also recommend you have knowledge of database and web server administration, as these components will be used by Random Password Manager Enterprise Edition and should be patched, secured, and properly configured to ensure that the password store system will not be compromised. Port Requirements The following ports are used by Random Password Manager Enterprise Edition: Port 7 - Echo. We use this port to send out WakeOnLAN packets. Port 137, 138, Netbios Name Service Ports. This service handles file and folder sharing between Windows machines. These ports are required for Random Password Manager Enterprise Edition to properly function. Port Alternate Netbios Name Service port (Win2K, XP, 2003). This port is not required unless the normal Netbios Name Service ports are closed (137, 138, 139). Be aware that this alternate port for the Netbios Name Service will not work on Windows NT 4.

12 Product Installation 7 MSDE Installation Using the Download Package If you want to use MSDE as the data store and have downloaded our installation package for MSDE ( locate and launch msdesetup.exe. You will be asked to enter the SA account password. The SA account password is the administrative database access password. We use this account and password to connect to the database and perform database operations. You can also choose whether or not the database will be accessible remotely. If you are installing MSDE and the webserver onto the local system, you do not need to enable remote connectivity.

13 Product Installation 8 If there is more than one instance of MSDE running on the target system, you will have to create a named instance for the new install. If MSDE has not been installed, the default instance is sufficient. After Installing MSDE, Windows NT 4.0 systems may need to be restarted to ensure the proper services are running. MSDE Installation Manually This download also contains detailed instructions for installing MSDE. Additional documentation for installation and configuration can be found at Microsoft's support site for MSDE ( d1de2971d9db/readmemsde2000a.htm#_3460_installing_msde_2000_release_a_fzpy) or in the MSDN library. Make sure the file and print sharing is enabled. Also make sure the local security policy for installation behavior is as follows: Windows XP and Windows 2003: Set the Security Option for Devices: Unsigned driver installation behavior to Silently Succeed in the Local Security Policy of the machine on which you are going to install MSDE. Windows 2000: Set the Security Option for Unsigned non-driver installation behavior to Silently Succeed in the Local Security Policy of the machine on which you are going to install MSDE. Stop these services if they are running before installing MSDE:

14 Product Installation 9 Microsoft Distributed Transaction Coordinator. Microsoft Search MSSQLServerOLAPService Microsoft Component Services Microsoft Message Queuing Microsoft COM Transaction Manager These services should be shut down prior to install. Shut down the services from within the administrative tools service controller. They can be started again after the installation is complete. The installation should still work if the services are not shut down, but the machine will require a restart in order to restart the services after installation. This update installs MDAC version 2.7 SP1a unless a newer version of the MDAC is detected. By default, MSDE will install with network support disabled. If MSDE is installed on the same machine as the console and the web server, then this configuration is recommended for increased security purposes. If you need to enable network support, you can specify this with the flag "DISABLENETWORKPROTOCOLS=0". You can also reconfigure MSDE to allow network access at a later time. We recommend you configure MSDE to use Windows Authentication Mode and use a strong sa password for the installation. This password can be set when running the installer from the command line by specifying the parameter SAPWD. Examples of the install command string are shown below. For a complete list of parameters and explanations of configuration options, refer the Microsoft documentation for MSDE. Note: When installing a named instance of MSDE, be careful not to overwrite an existing instance of MSDE. This applies to previous installations, as well as, other vendor's software installations of MSDE. Example installation:

15 Product Installation Download the MSDE installer from Microsoft. Save it to a directory on the local system and run it by double-clicking on it. 2. Agree to the license agreement and choose a directory for the install.

16 Product Installation Open a command window and navigate to the directory that you unpacked MSDE into. Type "setup" followed by the installation configuration arguments. In this example, we are creating a default instance of MSDE and the sa password for the instance is MySecurePassword (not a very secure password). Here is a list of the more common options. You should see the progress as the installation takes place. After the installation you may or may not be asked to restart you system. If you receive an errors during the install process, refer to Microsoft's online documentation or MSDN for troubleshooting. If you received no errors you have setup an instance of MSDE on the local machine.

17 Product Installation 12 Random Password Manager Enterprise Edition Setup When the program runs for the first time, you will be prompted to input your license information. For demo copies, the default demo license is sufficient. For commercial keys, enter the key that was sent to you and click OK. After you input the license information, you will be prompted to connect to an instance of SQL Server or MSDE. First enter the name of the system running SQL Server. This can be the local system or a remote system accessible by name or IP address.

18 Product Installation 13 Enter the SQL Server account information and choose the database from the drop list. The account that you use must have the rights to create, edit, and delete tables, data, and procedures from the database. Click Next. Select the database from the dropdown menu. You must use an existing database. If you have not created a database in SQL Server to use, close the application, create the SQL Server database, and then launch the application again. Click Finish. You will now see the main management dialog of the application.

19 Product Installation 14 Random Password Manager Installation Launch rpmeesetup.exe from the directory to which it was saved and follow the prompts to choose an installation directory. Click "Next". Read through the license agreement and click "Agree"

20 Product Installation 15 Click "Next" to start the installation. During the installation the program will create shortcuts on the desktop and start menu. Double click the shortcut to launch the application.

21 16 Web Interface Installation This chapter contains installation instructions and background information on the Web Interface portion of RPMEE. The web interface is composed of a set of ASP pages, two COM objects (one.ocx and one.dll), and a COM+ identity wrapper. In This Chapter Web Application Installation...16 Web Application Installation Advanced Options...17 Web Application Security...17 IIS and ASP Pages...18 COM+ Identity Wrapper...22 COM Components...23 Web Application Authentication and Delegation...25 Delegation Configuration...26 Web Application Installation This reference assumes that the program database is also running on the local system and the local system is running IIS 5.0 or better and is acting as the web server. These operations are implemented through a wizard accessible through the Win32 interface (see "Manage Web Application" on page 106) which automates these steps. The steps involved in setting up the web interface can also be performed manually. These are the steps required to install and configure the web interface: 1 Copy the ASP files from the installation directory to a folder in the "c:\inetpub\wwwroot\rpmeeweb" directory. 2 Create a new virtual directory "RPMEEWeb" in IIS that references the "C:\inetpub\wwwroot\RPMEEWeb" directory. 3 Create a new COM+ Server Application called RPMEEWeb. Set the credentials for the application to valid local administrator credentials. 4 Add the two required COM objects to the COM+ Application as components. The two COM objects are located in the installation directory and are named "RPMEEWeb.ocx" and "RouletteWeb.dll". 5 Create a default access rule that grants full access to the web interface to members of the domain administrators group. 6 Create default access rules to allow domain administrators all access in the web interface.

22 Web Interface Installation 17 7 Launch a new browser window with the web interface The information you will need to supply is the account name and password to use for the COM+ wrapper identity. This account will need local administrative access and domain user access. When you have entered account information, click Install Web Application to start the installation. Note: When you upgrade to a new version of Random Password Manager Enterprise Edition, you will also have to re-run the web application installation to upgrade the web pages and COM components. Web Application Installation Advanced Options Using the advanced options, you can install and configure the web application to run either on the local system or on a remote web server. If you specify a remote web server, the required files and registry values will be copied out to the server along with the setup of the COM+ wrapper and the registration of the COM objects. Using the advanced options you can: Choose a destination directory for the ASP webpages. Configure the web server to either create a virtual directory to reference the pages or move the pages into the root of the web server. Choose a destination location for the required OCX and DLL files. Specify the COM+ wrapper name on the server. Set the logon account name and password used by the COM+ wrapper. Web Application Security We highly recommend you install and setup SSL encryption for the web server that will be hosting the web interface for Random Password Manager Enterprise Edition. Without SSL installed and running on the web server, the credentials passed from the the web server to the authentication server could be sent unencrypted and could be vulnerable to network traffic sniffing. If you plan to implement the web interface over the internet, then we would also recommend limiting access based on specific IP address ranges.

23 Web Interface Installation 18 IIS and ASP Pages Microsoft Internet Information Services or Microsoft Personal Web Server (5.0 or better) is required to be running on the web server to use the web application component of Random Password Manager Enterprise Edition; processing of ASP pages must also be enabled. By default ASP pages are turned off in IIS 6.0. To enable ASP pages open up the IIS control panel and open the properties of the default web site. Open the Home Directories Tab and Click on the Configuration button for Application Settings.

24 Web Interface Installation 19 Make sure the.asp extension is listed and references the "C:\windows\system32\inetsrv\asp.dll" file. Part of the installation of the web application involves creating a virtual directory in IIS. This virtual directory will reference the set of ASP pages which provide the user interface for the web application. During the automated web application installation, the ASP files are copied from the installation directory to the "C:\Inetpub\wwwroot\RPMEEWeb" directory and the new virtual directory is created in IIS. Shown here are the manual steps of making these changes.

25 Web Interface Installation 20 Name the new virtual directory "RPMEEWeb". Point the virtual directory to the location of the ASP pages. Use the default permissions (read and run scripts).

26 Web Interface Installation 21 The ASP pages used for the web interface are found in the "\UmpWebInterface" subdirectory under the installation path. If you install manually, you should copy them to a a directory under the "C:\inetpub\wwwroot\" directory and reference that directory in the virtual directory. You don't need to copy the files to the "wwwroot" directory, but you need to ensure that the account which IIS is using to process ASP pages has access to the directory, which the files are located in. By default, the IIS accounts will have access to files and folders under the "wwwroot" directory, which is why the files are copied there by default on install. After making changes to the configuration IIS, an IIS restart will be required. You can restart IIS either through the IIS control console or through the command line with the command "iisreset". Restarting IIS will stop the web server service as well as any COM objects or services that are currently being held open by the web server. Lastly, because of the nature of this application, the web server has the capability to send passwords out to the users of the web application. If there is the possibility of unauthorized users sniffing traffic from the web server, we recommend you install and use an SSL certificate on your web server to encrypt passwords viewed through the web interface.. Support of SSL and the issuance of certificates will need to be handled by your organization.

27 Web Interface Installation 22 COM+ Identity Wrapper Random Password Manage Enterprise Edition utilizes a COM+ Server Application to store credentials for use by the COM objects used by the web application. Because the COM+ Application is a server application, it uses a specified set of credentials instead of using the launching process' credentials. Running as a specific user allows the COM+ Application to run the COM components at an elevated level of access without running the website as that powerful account. For the web application to work, the COM+ application must be running using an account which has local administrative rights, as well as, domain user rights. COM+ must be supported and enabled on the web server for the web application installation. The creation of the COM+ object is handled through the web application installation wizard, but the steps can also be performed manually as shown below. Open the Component services utility and browse to the COM+ Applications folder on the local machine. Create a new COM+ Server Application (specific credentials) called RPMEE. On the second page of the wizard, choose to create a new empty application.

28 Web Interface Installation 23 Title the application RPMEEWeb and choose Server Application. Enter the user account for the COM+ application. This account must have administrative access to the local machine. Finish the wizard to create the COM+ Application. Initially it will be empty and you will have to add the required COM components to it so the web application can access them. COM Components Once the COM+ Application has been created, the COM objects used by the web application will have to be added so they will be registered with the system. Once the COM objects have been registered with the system, they can be called from other applications (in this case the web server can call them from ASP pages). The benefit of adding the COM objects to a COM+ application is that they will run as the user account stored in the COM+ application, rather than the context of the calling user. The required COM components are copied to the installation directory. The files which contain the COM objects are named "RpmEEWeb.ocx" and "RouletteWeb.dll". The installation wizard will automatically add the COM objects to the COM+ application, but you can also do this manually.

29 Web Interface Installation 24 Open the Component Services console and locate the components folder of the RPMEEWeb COM+ Application. Choose to add new components to the application. Choose to install new component(s). Browse to the installation directory and add the RpmEEWeb.ocx and RouletteWeb.dll files to the COM+ application.

30 Web Interface Installation 25 Once the COM objects have been added as components, the web server will be able to create and access them. Web Application Authentication and Delegation The web server uses a low-powered account to handle the processing of web pages. This is desired because if the website were to be compromised, any malicious behavior or executed code would run in the context of the web server. This design means the web server will not have access to the database directly or the ability to perform operations such as group and user lookups to check authentication. Because the webserver will not have access to the database or to the domain, the COM+ wrapper must have local administrative rights and domain user rights. The credentials needed to access the SQL server database are also stored locally and used by the COM objects when retrieving password, system, and delegation information from the database. The credentials are never used directly by the web server and thus are not exposed to the outside world. The authentication mechanism starts when the web server requests a security token from the COM object. A security token is granted for each successful login and then stored in the database. This token contains the encoded rights associated with a specific login including lifetime for the login. Once the token has been passed back from COM object, the web server stores it in the active session. Requests to perform operations are passed to the COM object along with the token, and the COM object determines whether or not the user has the appropriate access based on the token. Using this scheme, the web server does not have access to the database directly, so even if the web server were to be compromised, the attacker would not have access to any of the password data. The delegation scheme for the web interface consists of a set of rules stored in the database that map directly to real Windows Domain Groups. The domain the web server is in will be the source for these Windows Groups. When you create an access rule, you specify both the action that is allowed and the Windows Group which is allowed to perform the action. User identification and authentication takes place by passing the account name and password through the web server to the COM object, which attempts to perform a domain logon. If the logon is successful, the COM object will perform a group lookup for the username and build a list of the domain groups the user is a member of. The COM object will then build the set of rights granted to the one or more groups the user belongs to and encode those rights into a security token, which it saves to the database and passes back to the web server. When subsequent requests are made to the COM object from the web server, this security token is verified to ensure the user has the correct rights. There are two basic types of delegation rules you can create for Windows Groups. The first is a Global Program Access Rule. This type of rule defines what basic web application operations are allowed to the members of a specific Windows Group. These rights include the logon right, access to all passwords, and the ability to change the delegation rules and check logs. Any Windows groups you want to have access to the web interface must be granted the logon right. The second type of rule is the Managed Group Access Rule. These rules determine which managed groups a Windows group has the right to access. If you want Windows users in a group to be able to recover passwords for a set of systems, you will create a Managed Group Access Rule for that Windows group and that set of systems.

31 Web Interface Installation 26 Delegation Configuration The default web application installation gives all access to direct members of the domain administrators group. To delegate rights out to other groups, login to the web interface as a user in the domain admins group. Click on the Manage Access tab and then the Program Access tab. From here you can choose which windows groups have access to the most powerful program level rules. These rules are the ability to logon to the web interface, the ability to recover all stored passwords, and the ability to change access rules. Use this section to grant access to the Windows groups that will be allowed to use the web interface.

32 Web Interface Installation 27 After granting Windows groups program access, click the Manage Group Access tab. This tab will allow you to set which Windows groups have access to each logical group of systems (and their accounts).

33 28 Getting Started This chapter contains a few common tasks for Random Password Manager Enterprise Edition and step by step examples of how to accomplish these tasks. In This Chapter Randomizing the Local Administrator Password for Every System in the Domain...28 Schedule a Reoccurring Password Randomization...32 Grant Users of a Windows Group 'Test Group' the Ability to Recover Passwords for the Default Group...34 Recover a Password from a system in the 'Default' Group using the Web Interface...37 Randomizing the Local Administrator Password for Every System in the Domain The first step is to add the domain to the system range of the current group. To do this, click "Edit Current System Set Properties..." from the SystemsList menu.

34 Getting Started 29 Now select the domain tab and enter the name of the domain. Click "OK" to return to the main dialog and click "Update Current System Set Now" to add all the domain systems to the current Managed Group.

35 Getting Started 30 You should see the systems in the domain in the system list. Highlight them all and click the Lock button in the lower middle right of the dialog. The default option is the local administrator account. Make sure the local administrator account option is selected. This option will change the built-in local administrator account on each machine, even if it has been named.

36 Getting Started 31 By default the password will be randomized, make sure the password is set to be randomized. Set this password change to run now by selecting "Immediately" as the scheduling option. Click Finish to start the job. When the job is complete, you will see a results dialog, which shows the status of each system that was part of the job.

37 Getting Started 32 Schedule a Reoccurring Password Randomization Select the system(s) which have accounts you want to randomize and click the Lock button in the middle lower right of the main dialog. Enter the account name of the account you want to randomize. This will randomize the password for this local account on each of the selected machines.

38 Getting Started 33 By default the password will be randomized, make sure the password is set to be randomized. Select monthly for the scheduling option. The job shown will run at 12:00 AM on the first of every month. Click Finish to complete the scheduling of the job.

39 Getting Started 34 Grant Users of a Windows Group 'Test Group' the Ability to Recover Passwords for the Default Group Begin by logging into the web interface as a user with the ability to change delegation rules. Select the Managed Access Tab.

40 Getting Started 35 Select the Program Access tab. Select the "Allow Web Logon" right from the drop list on the left and the "Test Group" from the list of Windows domain groups to the right. Granting this right will allow Windows users who are members of this Windows group to logon to the web interface. Click Add "Global Access Rule".

41 Getting Started 36 Click the "Managed Group Access" tab. Select the Managed Group "Default" from the drop list on the left and the Windows group "Test Group" from the drop list on the right. This step will give the users in the Windows group "Test Group" the ability to see and recover the saved passwords for accounts on systems in the "Default" managed systems group. Click Add Group Access Rule.

42 Getting Started 37 Recover a Password from a system in the 'Default' Group using the Web Interface Log into the web interface with an account which has been granted ability to recover passwords for the "Default" managed systems group. Click on the "Default" group in the group list.

43 Getting Started 38 Click "Find Systems" to list all systems in this group. Select the account and system you want to recover and click the "recover" link.

44 Getting Started 39 The recovered password will be shown in the display (as shown below) and an automatic password rerandomization will be scheduled for 4 hours in the future.

45 40 Web Interface This chapter covers the use of the web interface portion of Random Password Manager Enterprise Edition. This chapter includes instructions for both users and administrators of the web interface. Topics covered include: logging in to the web interface, recovering passwords, viewing system information, settings access rules, viewing log activity for the web interface, delegating managed group access to Windows groups. Note that throughout this chapter, the screenshots reflect an administrative user view. Users granted less rights will not have access and therefore not see some of the sections shown in the screenshots. In This Chapter Login...41 Password Recovery...41 System Status...44 Managing Access...46

46 Web Interface 41 Login The first step in using the web interface is to login. By default, access is given to members of the domain administrators group on the domain the web interface is installed on. Access can be configured through the web interface. Choose one of the trusted domains from the drop list and log on using Windows username and password. All logon attempts are saved to the web interface activity log and can be viewed from the web interface. In order for users in a Windows group to access the web interface, they must be granted the logon right through the tool. Account authentication is done using the Microsoft Windows challenge/response system. For more information about setting up and configuring the web interface see Web Application Installation. Password Recovery After logging in to the web interface the most common task will be retrieving passwords. To do this, click the Password Recovery tab and then the Managed Groups tab on the secondary menu. You will need to know the name of the account you want to recover as well as the name of machine that account is on. You will also need to know the name of one of the managed groups that contains that system. In the Managed Groups list you will only be able to see the names of each managed group you have been given access to. Click on the name of the managed group that contains the system. If the system is contained in more than one managed group, any of the managed groups that contain that system will suffice.

47 Web Interface 42 The right to recover passwords is granted to all Windows groups that are allowed to login to the web interface. The specific managed groups each Windows group has access to is further controlled through the Manage Access portion of the web interface.

48 Web Interface 43 When you select a managed group, you can choose to search for a known system by filter or display all systems with stored passwords from that group. To search for a known set of systems, use a substring to search for system names as they appear in the tool. For this example, "dev2" will return the "dev2000" system and "evp" will return the "devpat" system. Click on "recover' to show the password for the account. The recovered password can be highlighted and copied to the clipboard for ease of use. If the logged in user account has been granted the all access right, then the 'All' tab will be available in the secondary menu (shown above). This tab provides a search of all stored passwords for all accounts on all systems in the tool. This search ignores the managed group memberships for systems and consequently grants a higher level of access to the password store. Recovering a password will also cause the password to be scheduled for randomization. The time between the recovery and the change is configurable and the default time is 4 hours. All password retrievals are logged to the program log. Note: If you have access to a system through a managed group, by default you will have access to all stored passwords for all accounts on that system. This can be configured using the password filters which is explained here (see "Account Masks" on page 50).

49 Web Interface 44 System Status Using the System Status tab, you can see the latest status of systems based on a managed group. The right to view system status is granted to all Windows groups with the proper program logon right. Authorized users can access the web interface can see the status of systems that are members of any managed group they have been granted access. Granting or denying control to specific managed groups of systems can be limited through the the Manage Access portion of the web interface.

50 Web Interface 45 The columns shown in the system status view are the same columns shown in the Win32 application for each system. Note: the information for each system is only as current as the last operation (password change or refresh in the Win32 app) for that system. When you select a managed group, you can choose to search for a known system by filter or display all systems with from that group. To search for a known set of systems, use a substring to search for system names as they appear in the tool. For this example, "dev2" will return the "dev2000" system while "evp" will return the "devpat" system. If the logged in user account has been granted the all access right, then the 'All' tab will be available in the secondary menu (shown above). This tab provides a search of all systems in the tool. This search ignores the managed group memberships for systems and consequently is a higher level of access to the system status information.

51 Web Interface 46 Managing Access This section covers using delegation to manage access for the web interface. The delegation scheme uses rules applied to Windows groups to allow or deny rights within the web interface. The top level rights (program rights) determine which program level rights a Windows groups is granted. These rights include the ability to login, the ability to see everything, and the ability to change access rules. The second level of rules, managed group access rules, determines which managed group(s) a specific Windows group has access. This level of delegation includes managed group access control lists and account name based filters. This section also contains the log information. The log tracks all users who attempt to log into the web interface and all password retrievals. View Log The activity log for all web interface logons and password retrievals is stored in the Manage Access section. To view the log, you must have been granted the program right to manage all web access controls. First choose which log you want to view. The access log shows all attempted logons to the web interface. The Recovery Log displays all passwords that were retrieved and you may also select the range of time you are interested in. In addation, you can choose to view the activity for a specific user that has logged in or recovered passwords.

52 Web Interface 47 The access log shows the time of the logon, the originating IP address, the result of the attempt, and the logon username.

53 Web Interface 48 The recovery log shows the date of the recovery, the IP originating IP address, the authenticated username, the managed group that allowed access to the system, the system name, and the name of the account that was recovered. Note: when account passwords are recovered, they are scheduled to be automatically randomized in four hours. Program Access This section controls the higher level global program access rules. These rules dictate which Windows groups have rights in the web interface. The rights granted here are program wide and include: logon, display all accounts, manage web access controls. The right to logon is the most basic right. This allows members of the Windows group to log into the web interface. This right will also allow users to see the System Status tab and the Password Recovery tab, but users in the group will not have access to any managed groups initially. The right to see all account passwords grants members of the Windows group the right to recover the stored account passwords for any account saved within the system. This bypasses the managed group access check and applies to both the Password Recovery section and the System Status section.

54 Web Interface 49 The right to manage web access controls grants members of the Windows group the right to access the Manage Access section, which includes the log for the web interface. This section also contains the controls to change access to the web interface for Windows groups. This is the most powerful right granted and by default is only given to the domain administrators Windows group. To grant a right to a Windows group you will create a rule. First select the program wide right from the left drop list then select the Windows group from the right drop list. Now click "Add Global Access Rule". A list of the global access rules is shown. This list contains all the groups with rights within the web interface. Windows groups not listed cannot log onto the web interface or recover any passwords. To remove a rule, click the 'del' link to the right of a specific rule.

55 Web Interface 50 Managed Group Access This section controls the delegation of password recovery for managed groups to specific Windows groups. To allow a Windows group to recover the passwords for accounts on systems in a managed group, create a managed group access rule. First select the managed group from the left drop list. Next select the Windows group you want to grant access from the right drop list. Now click "Add Group Access Rule". The list of Managed Group Access Rules shows each managed group with one or more access rules. Each group is listed on the left. On the right of each managed group is the list of Windows groups which have been given the right to recover passwords for accounts on systems in that group. To remove a Managed Group Access Rule, click the 'del' link to the right of the Windows Group name. Note: If a Windows group has been given the global program access right to see all account passwords, users in that group will have access to all systems regardless of managed group memberships. Account Masks The Account Masks tab is used to filter the list of accounts for which a Windows group can recover passwords. Account Masks limit the accounts to which a member of the Windows group has access based on searching for one or more substrings within the account name. The account masks are not case sensitive. Example: You have stored passwords for "Administrator", "User", and "Guest" accounts. The account mask of "admin" would allow members of that Windows group to still see and recover the password for only the "Administrator" account. The account mask of "u" would allow members of that Windows group to see and recover passwords for the "User" and "Guest" accounts.