Random Password Manager Enterprise Edition

Transcription

1 Random Password Manager Enterprise Edition

2 i Contents Copyright Notice 4 Introduction 1 Overview...1 Performance Notes...1 License Agreement...1 Limited Warranty...3 Background and Goals...3 Product Installation 5 Installation Requirements...5 Pre-requisite Knowledge...6 Port Requirements...6 MSDE Installation Using the Download Package...7 MSDE Installation Manually...8 Random Password Manager Enterprise Edition Setup...12 Random Password Manager Installation...14 Web Interface Installation 16 Web Application Installation...16 Web Application Installation Advanced Options...17 Web Application Security...17 IIS and ASP Pages...18 COM+ Identity Wrapper...22 COM Components...23 Web Application Authentication and Delegation...25 Delegation Configuration...26 Getting Started 28 Randomizing the Local Administrator Password for Every System in the Domain...28 Schedule a Reoccurring Password Randomization...32 Grant Users of a Windows Group 'Test Group' the Ability to Recover Passwords for the Default Group.34 Recover a Password from a system in the 'Default' Group using the Web Interface...37 Web Interface 40 Login...41 Password Recovery...41 System Status...44 Managing Access...46 View Log...46

3 Copyright Notice ii Program Access...48 Managed Group Access...50 Account Masks...50 Managing Systems 52 Managed Group Dialog...53 Managed Group Dialog Menus...53 System List Columns...55 System Names and Name Resolution...55 Add Systems to Group...57 Add From Domain Systems List...57 Add From Network Browse List...59 Add From Shell Network Browse List...60 Add Systems Manually...61 Add From Active Directory...62 Browse Options...63 Add From IP Scanned Range...64 Import/Export Systems List...65 Connecting to Systems...65 Selecting Systems...65 Refresh Info...65 Setting Managed Group System Ranges...67 Dynamic Group Memberships...68 Dynamic Group Name and Comment...70 Dynamic Group Domains...71 Dynamic Group IP Address Ranges...71 Dynamic Group Active Directory Paths...72 Dynamic Group Data Sources...72 Dynamic Group Explicit Inclusions...73 Dynamic Group Explicit Exclusions...74 Dynamic Group Filter Options...75 Dynamic Group Options...76 Managing Multiple Managed Groups...77 Managing Passwords 78 Overview and Goals...78 Creating a Password Change Job...79 Viewing Stored Passwords...81 Deferred Processing 82 Jobs Monitor...83 Deferred Processor Service...84 Retry Settings...85 Alternate Administrators 86 Administrator Accounts Editor...86 Report Generator 89

4 Copyright Notice iii Report File Output Type...91 HTML Edit Dialog...91 Post-Generation Action Server Settings Overview...93 SMTP Settings: General...94 SMTP Settings: Outgoing Server...95 SMTP Settings: Logging Options...96 Help Information 97 License Keys...97 Registration...99 Database Configuration...99 Logon Info About Program Options 102 Logging Datastore Configuration Application Components Manage Web Application Remote Licensing Index 109

5 4 Copyright Notice Copyright Lieberman Software Corporation. All rights reserved. The software contains proprietary information of Lieberman Software Corporation; it is provided under a license agreement containing restrictions on use and disclosure and is also protected by copyright law. Reverse engineering of the software is prohibited. Due to continued product development this information may change without notice. The information and intellectual property contained herein is confidential between Lieberman Software and the client and remains the exclusive property of Lieberman Software. If you find any problems in the documentation, please report them to us in writing. Lieberman Software does not warrant that this document is error-free. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the prior written permission of Lieberman Software. Microsoft, Windows, Word, Office, SQL Server, Access, MSDE, and MS-DOS are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Lieberman Software Corporation 1900 Avenue of the Stars Suite 425 Los Angeles CA Internet [email protected] Website:

6 1 Introduction This chapter includes an overview of Random Password Manager Enterprise Edition, what problems it is designed to solve, performance information, expected pre-requisite knowledge, and some background information on Windows. This chapter also includes the license and warranty information for Random Password Manager Enterprise Edition. In This Chapter Overview...1 Performance Notes...1 License Agreement...1 Limited Warranty...3 Background and Goals...3 Overview Random Password Manager Enterprise Edition is designed to randomize and store the passwords for accounts on your systems on a regular reoccurring basis. Because these passwords are stored and managed by the program, they can be retrieved via a delegated web interface. Access to the password store as well as other web interface features can be limited to specific windows groups. Performance Notes Random Password Manager Enterprise Edition is multi-threaded and supports automatic retry for failed systems in an operation. Most operations on a LAN will take about a second to complete, but connections over a WAN may take significantly longer. All scheduled operations and job retries are handled in the background by a deferred processor service. License Agreement This is a legal and binding contract between you, the end user, and Lieberman Software Corporation. By using this software, you agree to be bound by the terms of this agreement. If you do not agree to the terms

7 Introduction 2 of this agreement, you should return the software and documentation, as well as, all accompanying items promptly for a refund. 1. Your Rights: Lieberman Software hereby grants you the right to use Random Password Manager Enterprise Edition to manage the licensed number of systems purchased. This software is licensed for use by a single client and its designated employees, contractors and authorized 3rd parties to manage the systems owned/used by a single client. The software license may not be shared with unrelated 3rd parties. The serial number provided by Lieberman Software is designed for installation on a specific machine. You many install an unlimited number of copies of Random Password Manager Enterprise Edition for your administrators that connect to the single licensed machine. All administrators can share the pool of purchased managed node licenses. There are no limits to the number of web servers or clients that may access the data stored by your licensed copy of Random Password Manager Enterprise Edition. The cost of Microsoft web servers, SSL certificates, and other supporting equipment and technology are the sole responsibility of the user of this software; not Lieberman Software. 2. Copyright. The SOFTWARE is owned by Lieberman Software and is protected by United States copyright law and international treaty provisions. Therefore, you must treat the software like any other copyrighted material (e.g. a book or musical recording) except that you may either (a) make one copy of the SOFTWARE solely for backup and archival purposes, or (b) transfer the SOFTWARE to a single hard disk provided you keep the original solely for backup and archival purposes. The manual is a copyrighted work also--you may not make copies of the manual for any purpose other than the use of the software. 3. Other Restrictions: You may not rent, lease, or transfer the SOFTWARE to any other entity. You may not reverse engineer, de-compile, or disassemble the SOFTWARE that is provided solely as executable programs (EXE files). If the SOFTWARE is an update, any transfer must include the update and all prior versions. 4. Notice: This software contains functionality designed to periodically notify Lieberman Software of demo usage and of the detection of suspected pirated license keys. By using this software, you consent to allow the software to send information to Lieberman Software under these circumstances, and you agree to not hold Lieberman Software responsible for the use of any or all of the information by Lieberman Software or any third party. When used lawfully, this software periodically transmits to us the serial number and network identification information of the machine running the software. No personally identifiable information or usage details are transmitted to us in this case. The program does not contain any spyware or remote control functionality that may be activated remotely by us or any other 3rd party. Lieberman Software Corporation 1900 Avenue of the Stars Suite 425 Los Angeles

8 Introduction 3 CA Internet [email protected] Website: Limited Warranty The media (optional) and manual that make up this software are warranted by Lieberman Software Corporation to be free of defects in materials and workmanship for a period of 30-days from the date of your purchase. If you notify us within the warranty period of such defects in material and workmanship, we will replace the defective manual or media. The sole remedy for breach of this warranty is limited to replacement of defective materials and/or refund of purchase price and does not include any other kinds of damages. Apart from the foregoing limited warranty, the software programs are provided "AS-IS", without warranty of any kind, either expressed or implied. The entire risk as to the performance of the programs is with the purchaser. Lieberman Software does not warrant that the operation will be uninterrupted or error-free. Lieberman Software assumes no responsibility or liability of any kind for errors in the programs or documentation of/for consequences of any such errors. This agreement is governed by the laws of the State of California. Should you have any questions concerning this Agreement, or if you wish to contact Lieberman Software, please write: Lieberman Software Corporation 1900 Avenue of the Stars Suite 425 Los Angeles CA You can also keep up to date on the latest upgrades via our website at ( or us at: [email protected] (mailto:[email protected]) Background and Goals The Need for Strong Local Credentials Organizations with a need for the most basic access security should use unique local logon credentials customized for each workstation and server in their environment. Unfortunately, most organizations use common credentials (same user name and password for the built-in administrator account) for each system

9 Introduction 4 for the ease of creating and managing those systems by the IT Department without any concern as to the consequences to the organization should these common credentials be compromised. With the mandates of Sarbane-Oxley, HIPAA, Gramm-Leach-Bliley, California Security Breach Information Acts, NASD 3010, SEC 17a-4, 21 CFR Part 11, DoD and others, the implementation of reasonably hard to compromise local logon credentials is mandatory for most organizations as a means for protecting not only the confidentiality of their data, but also to protect against tampering. Creating Strong Local Credentials Lieberman Software s program: Random Password Manager Enterprise Edition (RPMEE) can change any common account on all workstations and servers in just a few minutes without the need for scripts or any other type of program. The new common credentials can be stored in in a local or remote SQL Server database and can be recovered on demand using RPMEE. Random Password Manager Enterprise Edition can be configured to regularly change the passwords of common accounts on all of your systems (i.e. workstation built-in administrator account) according to a schedule of your choice so that each account receives a fresh cryptographically strong password regularly. This product feature protects the overall security of your organization so that the compromise of a single machine s local administrator password does not lead to the total compromise of your entire organization s security. Delegated Password Recovery Random Password Manager Enterprise Edition also contains a web interface to allow the remote recover of passwords. The web interface is an ASP web application that allows any user with the appropriate group memberships the right to use the application as well as the right to recover passwords for accounts managed by the Random Password Manager Enterprise Edition program. All access to the ASP program as well as all password recoveries are logged and the history is also available via the same web interface to authorized users. Because this application provides extremely sensitive information, it is essential that you pay particular attention to the security settings of the application and also use appropriate encryption such as SSL based on the scope of access provided.

10 5 Product Installation This chapter covers the installation and setup of both the Win32 console application and the web application setup. In This Chapter Installation Requirements...5 Pre-requisite Knowledge...6 Port Requirements...6 MSDE Installation Using the Download Package...7 MSDE Installation Manually...8 Random Password Manager Enterprise Edition Setup...12 Random Password Manager Installation...14 Installation Requirements This program requires Windows NT 4.0, Windows 2000 (NT 5.0, Server or Workstation), Windows XP (NT 5.1), or Windows 2003 (NT 5.2). We recommend at least 128 megabytes of memory and at least 50 megabytes of free disk space. This program also requires access to a SQL Server or MSDE database to store internal data. You can connect to an existing database or create a new database to store data. The construction of the required tables, views, stored procedures, and security roles are handled automatically. MSDE is freely available from Microsoft and can be downloaded from their site directly or found on our site in a convenient installation package. The database can exist on the same system the Win32 application is installed on or can exist on another system. You must have access to the database via a SQL Server login account (Windows Integrated Authentication will not work). The web application component requires Microsoft Internet Information Services (IIS) 5.0 or later or Microsoft Personal Web Server (PWS) with Active Server Page (ASP) server extensions enabled. The web application also requires COM+ to be enabled on the web server. The web server running the web component does not have to be the same system the Win32 application is installed on. If the web application will be installed on a different machine than the Win32 application, the active logon session must have administrative rights on the web server machine during the time of the web application installation. The deferred processor service must be installed and running as an account with administrative rights on the local machine.

11 Product Installation 6 Pre-requisite Knowledge Random Password Manager Enterprise Edition uses a Win32 console application in conjunction with a local service to setup the reoccurring password change jobs. Setting up the web application to allow access through the web interface includes the deployment of several COM objects to either the local or a remote web server as well as the creation of virtual directories for the associated ASP files used in the web interface. Random Password Manager Enterprise Edition also utilizes a SQL Server or MSDE database to store program data. We provide documentation as to the steps needed to setup and maintain Random Password Manager Enterprise Edition. We also recommend you have knowledge of database and web server administration, as these components will be used by Random Password Manager Enterprise Edition and should be patched, secured, and properly configured to ensure that the password store system will not be compromised. Port Requirements The following ports are used by Random Password Manager Enterprise Edition: Port 7 - Echo. We use this port to send out WakeOnLAN packets. Port 137, 138, Netbios Name Service Ports. This service handles file and folder sharing between Windows machines. These ports are required for Random Password Manager Enterprise Edition to properly function. Port Alternate Netbios Name Service port (Win2K, XP, 2003). This port is not required unless the normal Netbios Name Service ports are closed (137, 138, 139). Be aware that this alternate port for the Netbios Name Service will not work on Windows NT 4.

12 Product Installation 7 MSDE Installation Using the Download Package If you want to use MSDE as the data store and have downloaded our installation package for MSDE ( locate and launch msdesetup.exe. You will be asked to enter the SA account password. The SA account password is the administrative database access password. We use this account and password to connect to the database and perform database operations. You can also choose whether or not the database will be accessible remotely. If you are installing MSDE and the webserver onto the local system, you do not need to enable remote connectivity.

13 Product Installation 8 If there is more than one instance of MSDE running on the target system, you will have to create a named instance for the new install. If MSDE has not been installed, the default instance is sufficient. After Installing MSDE, Windows NT 4.0 systems may need to be restarted to ensure the proper services are running. MSDE Installation Manually This download also contains detailed instructions for installing MSDE. Additional documentation for installation and configuration can be found at Microsoft's support site for MSDE ( d1de2971d9db/readmemsde2000a.htm#_3460_installing_msde_2000_release_a_fzpy) or in the MSDN library. Make sure the file and print sharing is enabled. Also make sure the local security policy for installation behavior is as follows: Windows XP and Windows 2003: Set the Security Option for Devices: Unsigned driver installation behavior to Silently Succeed in the Local Security Policy of the machine on which you are going to install MSDE. Windows 2000: Set the Security Option for Unsigned non-driver installation behavior to Silently Succeed in the Local Security Policy of the machine on which you are going to install MSDE. Stop these services if they are running before installing MSDE:

14 Product Installation 9 Microsoft Distributed Transaction Coordinator. Microsoft Search MSSQLServerOLAPService Microsoft Component Services Microsoft Message Queuing Microsoft COM Transaction Manager These services should be shut down prior to install. Shut down the services from within the administrative tools service controller. They can be started again after the installation is complete. The installation should still work if the services are not shut down, but the machine will require a restart in order to restart the services after installation. This update installs MDAC version 2.7 SP1a unless a newer version of the MDAC is detected. By default, MSDE will install with network support disabled. If MSDE is installed on the same machine as the console and the web server, then this configuration is recommended for increased security purposes. If you need to enable network support, you can specify this with the flag "DISABLENETWORKPROTOCOLS=0". You can also reconfigure MSDE to allow network access at a later time. We recommend you configure MSDE to use Windows Authentication Mode and use a strong sa password for the installation. This password can be set when running the installer from the command line by specifying the parameter SAPWD. Examples of the install command string are shown below. For a complete list of parameters and explanations of configuration options, refer the Microsoft documentation for MSDE. Note: When installing a named instance of MSDE, be careful not to overwrite an existing instance of MSDE. This applies to previous installations, as well as, other vendor's software installations of MSDE. Example installation:

15 Product Installation Download the MSDE installer from Microsoft. Save it to a directory on the local system and run it by double-clicking on it. 2. Agree to the license agreement and choose a directory for the install.

16 Product Installation Open a command window and navigate to the directory that you unpacked MSDE into. Type "setup" followed by the installation configuration arguments. In this example, we are creating a default instance of MSDE and the sa password for the instance is MySecurePassword (not a very secure password). Here is a list of the more common options. You should see the progress as the installation takes place. After the installation you may or may not be asked to restart you system. If you receive an errors during the install process, refer to Microsoft's online documentation or MSDN for troubleshooting. If you received no errors you have setup an instance of MSDE on the local machine.

17 Product Installation 12 Random Password Manager Enterprise Edition Setup When the program runs for the first time, you will be prompted to input your license information. For demo copies, the default demo license is sufficient. For commercial keys, enter the key that was sent to you and click OK. After you input the license information, you will be prompted to connect to an instance of SQL Server or MSDE. First enter the name of the system running SQL Server. This can be the local system or a remote system accessible by name or IP address.

18 Product Installation 13 Enter the SQL Server account information and choose the database from the drop list. The account that you use must have the rights to create, edit, and delete tables, data, and procedures from the database. Click Next. Select the database from the dropdown menu. You must use an existing database. If you have not created a database in SQL Server to use, close the application, create the SQL Server database, and then launch the application again. Click Finish. You will now see the main management dialog of the application.

19 Product Installation 14 Random Password Manager Installation Launch rpmeesetup.exe from the directory to which it was saved and follow the prompts to choose an installation directory. Click "Next". Read through the license agreement and click "Agree"

20 Product Installation 15 Click "Next" to start the installation. During the installation the program will create shortcuts on the desktop and start menu. Double click the shortcut to launch the application.

21 16 Web Interface Installation This chapter contains installation instructions and background information on the Web Interface portion of RPMEE. The web interface is composed of a set of ASP pages, two COM objects (one.ocx and one.dll), and a COM+ identity wrapper. In This Chapter Web Application Installation...16 Web Application Installation Advanced Options...17 Web Application Security...17 IIS and ASP Pages...18 COM+ Identity Wrapper...22 COM Components...23 Web Application Authentication and Delegation...25 Delegation Configuration...26 Web Application Installation This reference assumes that the program database is also running on the local system and the local system is running IIS 5.0 or better and is acting as the web server. These operations are implemented through a wizard accessible through the Win32 interface (see "Manage Web Application" on page 106) which automates these steps. The steps involved in setting up the web interface can also be performed manually. These are the steps required to install and configure the web interface: 1 Copy the ASP files from the installation directory to a folder in the "c:\inetpub\wwwroot\rpmeeweb" directory. 2 Create a new virtual directory "RPMEEWeb" in IIS that references the "C:\inetpub\wwwroot\RPMEEWeb" directory. 3 Create a new COM+ Server Application called RPMEEWeb. Set the credentials for the application to valid local administrator credentials. 4 Add the two required COM objects to the COM+ Application as components. The two COM objects are located in the installation directory and are named "RPMEEWeb.ocx" and "RouletteWeb.dll". 5 Create a default access rule that grants full access to the web interface to members of the domain administrators group. 6 Create default access rules to allow domain administrators all access in the web interface.

22 Web Interface Installation 17 7 Launch a new browser window with the web interface The information you will need to supply is the account name and password to use for the COM+ wrapper identity. This account will need local administrative access and domain user access. When you have entered account information, click Install Web Application to start the installation. Note: When you upgrade to a new version of Random Password Manager Enterprise Edition, you will also have to re-run the web application installation to upgrade the web pages and COM components. Web Application Installation Advanced Options Using the advanced options, you can install and configure the web application to run either on the local system or on a remote web server. If you specify a remote web server, the required files and registry values will be copied out to the server along with the setup of the COM+ wrapper and the registration of the COM objects. Using the advanced options you can: Choose a destination directory for the ASP webpages. Configure the web server to either create a virtual directory to reference the pages or move the pages into the root of the web server. Choose a destination location for the required OCX and DLL files. Specify the COM+ wrapper name on the server. Set the logon account name and password used by the COM+ wrapper. Web Application Security We highly recommend you install and setup SSL encryption for the web server that will be hosting the web interface for Random Password Manager Enterprise Edition. Without SSL installed and running on the web server, the credentials passed from the the web server to the authentication server could be sent unencrypted and could be vulnerable to network traffic sniffing. If you plan to implement the web interface over the internet, then we would also recommend limiting access based on specific IP address ranges.

23 Web Interface Installation 18 IIS and ASP Pages Microsoft Internet Information Services or Microsoft Personal Web Server (5.0 or better) is required to be running on the web server to use the web application component of Random Password Manager Enterprise Edition; processing of ASP pages must also be enabled. By default ASP pages are turned off in IIS 6.0. To enable ASP pages open up the IIS control panel and open the properties of the default web site. Open the Home Directories Tab and Click on the Configuration button for Application Settings.

24 Web Interface Installation 19 Make sure the.asp extension is listed and references the "C:\windows\system32\inetsrv\asp.dll" file. Part of the installation of the web application involves creating a virtual directory in IIS. This virtual directory will reference the set of ASP pages which provide the user interface for the web application. During the automated web application installation, the ASP files are copied from the installation directory to the "C:\Inetpub\wwwroot\RPMEEWeb" directory and the new virtual directory is created in IIS. Shown here are the manual steps of making these changes.

25 Web Interface Installation 20 Name the new virtual directory "RPMEEWeb". Point the virtual directory to the location of the ASP pages. Use the default permissions (read and run scripts).

26 Web Interface Installation 21 The ASP pages used for the web interface are found in the "\UmpWebInterface" subdirectory under the installation path. If you install manually, you should copy them to a a directory under the "C:\inetpub\wwwroot\" directory and reference that directory in the virtual directory. You don't need to copy the files to the "wwwroot" directory, but you need to ensure that the account which IIS is using to process ASP pages has access to the directory, which the files are located in. By default, the IIS accounts will have access to files and folders under the "wwwroot" directory, which is why the files are copied there by default on install. After making changes to the configuration IIS, an IIS restart will be required. You can restart IIS either through the IIS control console or through the command line with the command "iisreset". Restarting IIS will stop the web server service as well as any COM objects or services that are currently being held open by the web server. Lastly, because of the nature of this application, the web server has the capability to send passwords out to the users of the web application. If there is the possibility of unauthorized users sniffing traffic from the web server, we recommend you install and use an SSL certificate on your web server to encrypt passwords viewed through the web interface.. Support of SSL and the issuance of certificates will need to be handled by your organization.

27 Web Interface Installation 22 COM+ Identity Wrapper Random Password Manage Enterprise Edition utilizes a COM+ Server Application to store credentials for use by the COM objects used by the web application. Because the COM+ Application is a server application, it uses a specified set of credentials instead of using the launching process' credentials. Running as a specific user allows the COM+ Application to run the COM components at an elevated level of access without running the website as that powerful account. For the web application to work, the COM+ application must be running using an account which has local administrative rights, as well as, domain user rights. COM+ must be supported and enabled on the web server for the web application installation. The creation of the COM+ object is handled through the web application installation wizard, but the steps can also be performed manually as shown below. Open the Component services utility and browse to the COM+ Applications folder on the local machine. Create a new COM+ Server Application (specific credentials) called RPMEE. On the second page of the wizard, choose to create a new empty application.

28 Web Interface Installation 23 Title the application RPMEEWeb and choose Server Application. Enter the user account for the COM+ application. This account must have administrative access to the local machine. Finish the wizard to create the COM+ Application. Initially it will be empty and you will have to add the required COM components to it so the web application can access them. COM Components Once the COM+ Application has been created, the COM objects used by the web application will have to be added so they will be registered with the system. Once the COM objects have been registered with the system, they can be called from other applications (in this case the web server can call them from ASP pages). The benefit of adding the COM objects to a COM+ application is that they will run as the user account stored in the COM+ application, rather than the context of the calling user. The required COM components are copied to the installation directory. The files which contain the COM objects are named "RpmEEWeb.ocx" and "RouletteWeb.dll". The installation wizard will automatically add the COM objects to the COM+ application, but you can also do this manually.

29 Web Interface Installation 24 Open the Component Services console and locate the components folder of the RPMEEWeb COM+ Application. Choose to add new components to the application. Choose to install new component(s). Browse to the installation directory and add the RpmEEWeb.ocx and RouletteWeb.dll files to the COM+ application.

30 Web Interface Installation 25 Once the COM objects have been added as components, the web server will be able to create and access them. Web Application Authentication and Delegation The web server uses a low-powered account to handle the processing of web pages. This is desired because if the website were to be compromised, any malicious behavior or executed code would run in the context of the web server. This design means the web server will not have access to the database directly or the ability to perform operations such as group and user lookups to check authentication. Because the webserver will not have access to the database or to the domain, the COM+ wrapper must have local administrative rights and domain user rights. The credentials needed to access the SQL server database are also stored locally and used by the COM objects when retrieving password, system, and delegation information from the database. The credentials are never used directly by the web server and thus are not exposed to the outside world. The authentication mechanism starts when the web server requests a security token from the COM object. A security token is granted for each successful login and then stored in the database. This token contains the encoded rights associated with a specific login including lifetime for the login. Once the token has been passed back from COM object, the web server stores it in the active session. Requests to perform operations are passed to the COM object along with the token, and the COM object determines whether or not the user has the appropriate access based on the token. Using this scheme, the web server does not have access to the database directly, so even if the web server were to be compromised, the attacker would not have access to any of the password data. The delegation scheme for the web interface consists of a set of rules stored in the database that map directly to real Windows Domain Groups. The domain the web server is in will be the source for these Windows Groups. When you create an access rule, you specify both the action that is allowed and the Windows Group which is allowed to perform the action. User identification and authentication takes place by passing the account name and password through the web server to the COM object, which attempts to perform a domain logon. If the logon is successful, the COM object will perform a group lookup for the username and build a list of the domain groups the user is a member of. The COM object will then build the set of rights granted to the one or more groups the user belongs to and encode those rights into a security token, which it saves to the database and passes back to the web server. When subsequent requests are made to the COM object from the web server, this security token is verified to ensure the user has the correct rights. There are two basic types of delegation rules you can create for Windows Groups. The first is a Global Program Access Rule. This type of rule defines what basic web application operations are allowed to the members of a specific Windows Group. These rights include the logon right, access to all passwords, and the ability to change the delegation rules and check logs. Any Windows groups you want to have access to the web interface must be granted the logon right. The second type of rule is the Managed Group Access Rule. These rules determine which managed groups a Windows group has the right to access. If you want Windows users in a group to be able to recover passwords for a set of systems, you will create a Managed Group Access Rule for that Windows group and that set of systems.

31 Web Interface Installation 26 Delegation Configuration The default web application installation gives all access to direct members of the domain administrators group. To delegate rights out to other groups, login to the web interface as a user in the domain admins group. Click on the Manage Access tab and then the Program Access tab. From here you can choose which windows groups have access to the most powerful program level rules. These rules are the ability to logon to the web interface, the ability to recover all stored passwords, and the ability to change access rules. Use this section to grant access to the Windows groups that will be allowed to use the web interface.

32 Web Interface Installation 27 After granting Windows groups program access, click the Manage Group Access tab. This tab will allow you to set which Windows groups have access to each logical group of systems (and their accounts).

33 28 Getting Started This chapter contains a few common tasks for Random Password Manager Enterprise Edition and step by step examples of how to accomplish these tasks. In This Chapter Randomizing the Local Administrator Password for Every System in the Domain...28 Schedule a Reoccurring Password Randomization...32 Grant Users of a Windows Group 'Test Group' the Ability to Recover Passwords for the Default Group...34 Recover a Password from a system in the 'Default' Group using the Web Interface...37 Randomizing the Local Administrator Password for Every System in the Domain The first step is to add the domain to the system range of the current group. To do this, click "Edit Current System Set Properties..." from the SystemsList menu.

34 Getting Started 29 Now select the domain tab and enter the name of the domain. Click "OK" to return to the main dialog and click "Update Current System Set Now" to add all the domain systems to the current Managed Group.

35 Getting Started 30 You should see the systems in the domain in the system list. Highlight them all and click the Lock button in the lower middle right of the dialog. The default option is the local administrator account. Make sure the local administrator account option is selected. This option will change the built-in local administrator account on each machine, even if it has been named.

36 Getting Started 31 By default the password will be randomized, make sure the password is set to be randomized. Set this password change to run now by selecting "Immediately" as the scheduling option. Click Finish to start the job. When the job is complete, you will see a results dialog, which shows the status of each system that was part of the job.

37 Getting Started 32 Schedule a Reoccurring Password Randomization Select the system(s) which have accounts you want to randomize and click the Lock button in the middle lower right of the main dialog. Enter the account name of the account you want to randomize. This will randomize the password for this local account on each of the selected machines.

38 Getting Started 33 By default the password will be randomized, make sure the password is set to be randomized. Select monthly for the scheduling option. The job shown will run at 12:00 AM on the first of every month. Click Finish to complete the scheduling of the job.

39 Getting Started 34 Grant Users of a Windows Group 'Test Group' the Ability to Recover Passwords for the Default Group Begin by logging into the web interface as a user with the ability to change delegation rules. Select the Managed Access Tab.

40 Getting Started 35 Select the Program Access tab. Select the "Allow Web Logon" right from the drop list on the left and the "Test Group" from the list of Windows domain groups to the right. Granting this right will allow Windows users who are members of this Windows group to logon to the web interface. Click Add "Global Access Rule".

41 Getting Started 36 Click the "Managed Group Access" tab. Select the Managed Group "Default" from the drop list on the left and the Windows group "Test Group" from the drop list on the right. This step will give the users in the Windows group "Test Group" the ability to see and recover the saved passwords for accounts on systems in the "Default" managed systems group. Click Add Group Access Rule.

42 Getting Started 37 Recover a Password from a system in the 'Default' Group using the Web Interface Log into the web interface with an account which has been granted ability to recover passwords for the "Default" managed systems group. Click on the "Default" group in the group list.

43 Getting Started 38 Click "Find Systems" to list all systems in this group. Select the account and system you want to recover and click the "recover" link.

44 Getting Started 39 The recovered password will be shown in the display (as shown below) and an automatic password rerandomization will be scheduled for 4 hours in the future.

45 40 Web Interface This chapter covers the use of the web interface portion of Random Password Manager Enterprise Edition. This chapter includes instructions for both users and administrators of the web interface. Topics covered include: logging in to the web interface, recovering passwords, viewing system information, settings access rules, viewing log activity for the web interface, delegating managed group access to Windows groups. Note that throughout this chapter, the screenshots reflect an administrative user view. Users granted less rights will not have access and therefore not see some of the sections shown in the screenshots. In This Chapter Login...41 Password Recovery...41 System Status...44 Managing Access...46

46 Web Interface 41 Login The first step in using the web interface is to login. By default, access is given to members of the domain administrators group on the domain the web interface is installed on. Access can be configured through the web interface. Choose one of the trusted domains from the drop list and log on using Windows username and password. All logon attempts are saved to the web interface activity log and can be viewed from the web interface. In order for users in a Windows group to access the web interface, they must be granted the logon right through the tool. Account authentication is done using the Microsoft Windows challenge/response system. For more information about setting up and configuring the web interface see Web Application Installation. Password Recovery After logging in to the web interface the most common task will be retrieving passwords. To do this, click the Password Recovery tab and then the Managed Groups tab on the secondary menu. You will need to know the name of the account you want to recover as well as the name of machine that account is on. You will also need to know the name of one of the managed groups that contains that system. In the Managed Groups list you will only be able to see the names of each managed group you have been given access to. Click on the name of the managed group that contains the system. If the system is contained in more than one managed group, any of the managed groups that contain that system will suffice.

47 Web Interface 42 The right to recover passwords is granted to all Windows groups that are allowed to login to the web interface. The specific managed groups each Windows group has access to is further controlled through the Manage Access portion of the web interface.

48 Web Interface 43 When you select a managed group, you can choose to search for a known system by filter or display all systems with stored passwords from that group. To search for a known set of systems, use a substring to search for system names as they appear in the tool. For this example, "dev2" will return the "dev2000" system and "evp" will return the "devpat" system. Click on "recover' to show the password for the account. The recovered password can be highlighted and copied to the clipboard for ease of use. If the logged in user account has been granted the all access right, then the 'All' tab will be available in the secondary menu (shown above). This tab provides a search of all stored passwords for all accounts on all systems in the tool. This search ignores the managed group memberships for systems and consequently grants a higher level of access to the password store. Recovering a password will also cause the password to be scheduled for randomization. The time between the recovery and the change is configurable and the default time is 4 hours. All password retrievals are logged to the program log. Note: If you have access to a system through a managed group, by default you will have access to all stored passwords for all accounts on that system. This can be configured using the password filters which is explained here (see "Account Masks" on page 50).

49 Web Interface 44 System Status Using the System Status tab, you can see the latest status of systems based on a managed group. The right to view system status is granted to all Windows groups with the proper program logon right. Authorized users can access the web interface can see the status of systems that are members of any managed group they have been granted access. Granting or denying control to specific managed groups of systems can be limited through the the Manage Access portion of the web interface.

50 Web Interface 45 The columns shown in the system status view are the same columns shown in the Win32 application for each system. Note: the information for each system is only as current as the last operation (password change or refresh in the Win32 app) for that system. When you select a managed group, you can choose to search for a known system by filter or display all systems with from that group. To search for a known set of systems, use a substring to search for system names as they appear in the tool. For this example, "dev2" will return the "dev2000" system while "evp" will return the "devpat" system. If the logged in user account has been granted the all access right, then the 'All' tab will be available in the secondary menu (shown above). This tab provides a search of all systems in the tool. This search ignores the managed group memberships for systems and consequently is a higher level of access to the system status information.

51 Web Interface 46 Managing Access This section covers using delegation to manage access for the web interface. The delegation scheme uses rules applied to Windows groups to allow or deny rights within the web interface. The top level rights (program rights) determine which program level rights a Windows groups is granted. These rights include the ability to login, the ability to see everything, and the ability to change access rules. The second level of rules, managed group access rules, determines which managed group(s) a specific Windows group has access. This level of delegation includes managed group access control lists and account name based filters. This section also contains the log information. The log tracks all users who attempt to log into the web interface and all password retrievals. View Log The activity log for all web interface logons and password retrievals is stored in the Manage Access section. To view the log, you must have been granted the program right to manage all web access controls. First choose which log you want to view. The access log shows all attempted logons to the web interface. The Recovery Log displays all passwords that were retrieved and you may also select the range of time you are interested in. In addation, you can choose to view the activity for a specific user that has logged in or recovered passwords.

52 Web Interface 47 The access log shows the time of the logon, the originating IP address, the result of the attempt, and the logon username.

53 Web Interface 48 The recovery log shows the date of the recovery, the IP originating IP address, the authenticated username, the managed group that allowed access to the system, the system name, and the name of the account that was recovered. Note: when account passwords are recovered, they are scheduled to be automatically randomized in four hours. Program Access This section controls the higher level global program access rules. These rules dictate which Windows groups have rights in the web interface. The rights granted here are program wide and include: logon, display all accounts, manage web access controls. The right to logon is the most basic right. This allows members of the Windows group to log into the web interface. This right will also allow users to see the System Status tab and the Password Recovery tab, but users in the group will not have access to any managed groups initially. The right to see all account passwords grants members of the Windows group the right to recover the stored account passwords for any account saved within the system. This bypasses the managed group access check and applies to both the Password Recovery section and the System Status section.

54 Web Interface 49 The right to manage web access controls grants members of the Windows group the right to access the Manage Access section, which includes the log for the web interface. This section also contains the controls to change access to the web interface for Windows groups. This is the most powerful right granted and by default is only given to the domain administrators Windows group. To grant a right to a Windows group you will create a rule. First select the program wide right from the left drop list then select the Windows group from the right drop list. Now click "Add Global Access Rule". A list of the global access rules is shown. This list contains all the groups with rights within the web interface. Windows groups not listed cannot log onto the web interface or recover any passwords. To remove a rule, click the 'del' link to the right of a specific rule.

55 Web Interface 50 Managed Group Access This section controls the delegation of password recovery for managed groups to specific Windows groups. To allow a Windows group to recover the passwords for accounts on systems in a managed group, create a managed group access rule. First select the managed group from the left drop list. Next select the Windows group you want to grant access from the right drop list. Now click "Add Group Access Rule". The list of Managed Group Access Rules shows each managed group with one or more access rules. Each group is listed on the left. On the right of each managed group is the list of Windows groups which have been given the right to recover passwords for accounts on systems in that group. To remove a Managed Group Access Rule, click the 'del' link to the right of the Windows Group name. Note: If a Windows group has been given the global program access right to see all account passwords, users in that group will have access to all systems regardless of managed group memberships. Account Masks The Account Masks tab is used to filter the list of accounts for which a Windows group can recover passwords. Account Masks limit the accounts to which a member of the Windows group has access based on searching for one or more substrings within the account name. The account masks are not case sensitive. Example: You have stored passwords for "Administrator", "User", and "Guest" accounts. The account mask of "admin" would allow members of that Windows group to still see and recover the password for only the "Administrator" account. The account mask of "u" would allow members of that Windows group to see and recover passwords for the "User" and "Guest" accounts.

56 Web Interface 51 The accounts a Windows group is allowed access to is the union of all the account filters. In the example above, if both filters were applied to a Windows group, then the group would be able to see and recover passwords for all three accounts. Note: The account masks feature does not effect Windows groups which have been granted the right to access all accounts as a global program access rule. Authorized Windows groups will still be able to view and recover passwords for all accounts.

57 52 Managing Systems Systems are organized into logical managed groups in Random Password Manager Enterprise Edition. The initial group called "Default" is the only group created when the program is installed. Operations are performed on systems by adding them to a managed group, selecting them, and then choosing the operation to perform. In This Chapter Managed Group Dialog...53 Managed Group Dialog Menus...53 System List Columns...55 System Names and Name Resolution...55 Add Systems to Group...57 Connecting to Systems...65 Selecting Systems...65 Refresh Info...65 Setting Managed Group System Ranges...67 Dynamic Group Memberships...68 Managing Multiple Managed Groups...77

58 Managing Systems 53 Managed Group Dialog From this dialog you can add system to or remove system from the current active managed group. This is also where operations such as password change jobs are created. The system information associated with each system can also be seen here once it has been collected with a refresh operation. Managed Group Dialog Menus File Logging - Displays the details for the log file location and allows you to view the log. Datastore Configuration Wizard - A step by step guide to connection to a database. Advanced - Complete database connection options. Application Components - View or change the settlings for the application components. Manage Web Application Simple - A simple interface which allows you to install the web application to the default paths given account information for the COM+ application. Advanced - A complete set of options for installing the web application locally or remotely. Report Generator - An interface for exporting dialog data from the application to text files, xls files, html files. View

59 Managing Systems 54 Refresh All Systems - Refresh the system information for the systems in the active managed group (version, OS, etc). Refresh Selected Systems - Refresh the system information for the selected systems (version, OS, etc). View Stored Passwords - View all passwords for all systems that have been saved to the program's password store. SystemList Manage System Sets - Create, change, or delete a managed group. Edit Current System Set Properties - Change the range for systems which will by dynamically included in this group. Update Current System Set Now - Update the current managed group according to the ranges for system membership. Add From Domain Systems List - Add systems to the current managed group manually from the domain list. Add From Browse List - Add systems to the current managed group from the domain browse list. Add Systems Manually - Add systems to the current managed group by manually entering their names. Add From Active Directory - Add systems to the current managed group by querying Active Directory. Scan IP Range for Groups/Machines - Add systems to the current managed group by scanning an IP range for systems. Delete Systems From List - Remove the selected systems from the current managed group. Eliminate Duplicate Systems From List - Remove any systems that are duplicates (same system by IP and name). Export Systems List to a Text File - Export the list of systems from the current managed group to a text file. Import Systems List from a Text File - Import from a text file the systems for the current managed group. ConnectAs Alternate Administrator Accounts - Add alternate credentials to grant access to systems which refuse the current logon account credentials. DeferredProcessor Jobs Monitor - A dialog which shows all jobs scheduled to happen and the progress of both current jobs and past jobs. Retry Policy - Configure the failure behavior of manual and scheduled jobs. Help

60 Managing Systems 55 Contents - Displays this document. License Keys - Shows which systems are currently using license tokens. Register - Enter a serial commercial key to register the application. Also supports remote licensing to connect to a licensed remote instance of the application. Database Configuration - Information about the current database connection settings. Logon Info - Information about the current logon session (user name, rights, etc). About - Displays version information, contact information, and the active serial number. System List Columns The columns shown for each system are: Role - WS for workstations and SRV for servers. Version - NT4, WK2, 2003, XP. Resolve By - SN (System Name), NB (NetBios), or IP (IP Address). NetBIOS Name IP Address Subnet Mask DHCP - Shows whether or not the IP address for this system is assigned through DHCP. MAC Address Checked - The last time this system was successfully contacted Status - The last result message or error code for any operations on this system. System Names and Name Resolution NetBIOS names typically only resolve on a local subnet unless a WINS Server is provided. IP addresses can be used, but they have two problems: they don't provide a very meaningful identification for a machine, and they may be re-assigned through DHCP. Both of these problems might cause an administrator to make changes on the wrong machine inadvertently. With a DNS name, you can specify a machine in both an easily identifiable way, and a way which is insensitive to changes in the machine's IP address through DHCP as long as you are using DHCP and dynamic DNS linked together.

61 Managing Systems 56 To check if a name is resolvable, try pinging the machine by name from the command line interface. If the ping resolves to the correct machine, our tool should be able to use that name to manage the machine (it uses the same resolution mechanism as ping does). When the program does a Get Role/Version (Refresh) operation, it retrieves the NetBIOS name and IP address of each managed machine. By default, the machine is resolved by whatever name is in the System column (which can be a NetBIOS name, an IP address, or a DNS name). You can change the resolution type by right-clicking on the machine(s), and selecting a "Resolve By" option. This will cause the product to use the alternate name of the machine for name resolution. In most cases, however, the system name should be sufficient for name resolution. In addition; the other information can then be examined to make sure operations will affect the correct system(s). Note: If you are having trouble connecting to machines using their DNS names, check to make sure the name you are using resolves to the correct machine (through ping).

62 Managing Systems 57 Add Systems to Group There are various ways to populate your groups with systems once the group has been created: Add from domain systems list. Add from network browse list. Add from shell network browse list. Add systems manually by name Add from Active Directory Add from scanned IP ranges. Import/Export Systems List from text file. These methods are in addition to the IP Scanner and ODBC query, which can both be used to populate a group. Add From Domain Systems List Shown below is the Add from Domain List dialog. The fastest method of adding NT/2000/Server 2003/XP systems to this program is to inquire at the Primary Domain Controller (or just a Domain Controller for 2000/2003/XP) for the list of machines which have joined the domain. There are a few confusing cases when viewing servers in the domain list. The

63 Managing Systems 58 machine list may not represent all of the machines on the network (some machines may not have joined the domain). The list usually contains systems that have left the domain, but have not been purged from the PDC database via NT/2000/XP s server management tools. After adding machines to the Selected Systems list, you can use the "Platform?" button to verify the connectivity, credentials, and version of the selected systems. The "Platform?" feature contacts each machine on the list and inquires as to what version of the operating system it is running, as well as, which network services (Type) are running on the machine. This feature is an excellent way to verify that only live appropriate systems are added. The Platform field indicates what operating system type is running: DOS OS/2 and Windows 95/98 Windows NT/2000/XP UNIX/OSF DEC VMS The system name and system comment are both shown in the available systems list. After systems have been selected and checked (by pressing "Platform?"), there are columns to display the Platform, Version (4.0 is NT, 5.0 is Windows 2000, 5.1 is Windows XP, and 5.2 is Server 2003), Role, and Net Services. The Net Services field indicates which network services are running on each system. It is normal for both an NT/2000/XP Workstation and NT/2000/XP Server to both have the Workstation and Server services running. When performing domain lookups and platform checks the status, progress, and thread count are all updated in real time. The status box displays messages about the status of current the operation, and the active thread count displays how many threads have yet to complete for this operation.

64 Managing Systems 59 Add From Network Browse List Shown below is the Add From Network Browse dialog. To add a machine using the Network Neighborhood browsing architecture of the operating system, press the "Insert" key on the keyboard or the "Browse" button on the Manage Systems dialog. If you are working with systems that have not joined a domain (workgroups), the easiest way to find and add them is to use the Network Browser architecture of Windows. This dialog allows you to browse the different network providers (Microsoft, Novell, Banyan), and then drill down to find the different machines on each network. After adding machines to the Selected Systems list, you can use the "Platform?" button to verify the connectivity, credentials, and version of the selected systems. The "Platform?" feature contacts each machine on the list and inquires as to what version of the operating system it is running, as well as, which network services (Type) are running on the machine. This feature is an excellent way to verify that only live appropriate systems are added. The Platform field indicates what operating system type is running:

65 Managing Systems 60 DOS OS/2 and Windows 95/98 Windows NT/2000/XP UNIX/OSF DEC VMS The system name and system comment are both shown in the available systems list. After systems have been selected and checked (by pressing "Platform?"), there are columns to display the Platform, Version (4.0 is NT, 5.0 is Windows 2000, 5.1 is Windows XP, and 5.2 is Server 2003), Role, and Net Services. The Net Services field indicates which network services are running on each system. It is normal for both an NT/2000/XP Workstation and NT/2000/XP Server to both have the Workstation and Server services running. When performing domain lookups and platform checks the status, progress, and thread cosunt are all updated in real time. The status box displays messages about the status of current the operation, and the active thread count displays how many threads have yet to complete for this operation. Add From Shell Network Browse List The Shell Network Browser dialog allows you to browse the network for systems to add using the shell's browse functionality. This may be helpful for adding machines from organizational units in Active Directory, since the shell allows browsing of the Active Directory hierarchy. In this view, organizational units are represented as folders in the hierarchy. If you are creating a separate group for each organizational unit in your organization, you can populate the groups easily using this dialog.

66 Managing Systems 61 Add Systems Manually Shown below is the Add Systems Manually dialog. In cases where machines are not visible within the Network Neighborhood, and have not joined the domain, you may have to add them manually. After adding machines to the Selected Systems list, you can use the "Platform?" button to verify the connectivity, credentials, and version of the selected systems. The "Platform?" feature contacts each machine on the list and inquires as to what version of the operating system it is running, as well as, which network services (Type) are running on the machine. This feature is an excellent way to verify that only live appropriate systems are added. The Platform field indicates what operating system type is running: DOS OS/2 and Windows 95/98 Windows NT/2000/XP UNIX/OSF DEC VMS The system name and system comment are both shown in the available systems list. After systems have been selected and checked (by pressing "Platform?"), there are columns to display the Platform, Version (4.0 is NT, 5.0 is Windows 2000, 5.1 is Windows XP, and 5.2 is Server 2003), Role, and Net Services. The Net Services field indicates which network services are running on each system. It is normal for both an NT/2000/XP Workstation and NT/2000/XP Server to both have the Workstation and Server services running. When performing domain lookups and platform checks the status, progress, and thread count are all updated in real time. The status box displays messages about the status of current the operation, and the active thread count displays how many threads have yet to complete for this operation.

67 Managing Systems 62 Add From Active Directory Shown Below is the Add Systems from Active Directory dialog on the Active Directory Browse page. When running on Windows 2000/XP/Server 2003 you have the ability to use a special Active Directory control known as the Object Picker. We have programmed the Object Picker to search for computers in Windows 2000/XP/Server The default options for the control are to show you both uplevel (native and mixed mode) systems, as well as, downlevel systems (NT). You can modify the options to force the search of any domain controller and have the search executed on your machine of choice remotely. You can also specify the type of directory to search (if needed). The Browse Options (on page 63) page is detailed in the following section.

68 Managing Systems 63 Browse Options Shown below is the Browse Options page of the Add From Active Directory Dialog. The "Browse Options" page shows the available options to put into effect when the "Browse " button is clicked on the first page. You would typically not need to change the browse options, but if you do, you would make a change on the "Browse Options" page and then return to the first page and then click on the "Browse" button to see the results of the new options. The default options are to only browse for machines in uplevel and downlevel domains to which you have joined. The default domain is the one you are logged into and the search is performed from your local machine. ACTIVE DIRECTORY BROWSE OPTIONS TARGET COMPUTER These options allow you control where searches are to be performed. Normally you can ignore these options. Use these options if you need to extract machine lists from foreign/non-windows 2000 domains. Skip Target Domain Controller Check - You should set this flag if you know your computer is not a domain controller, to save time. However, if your machine is a domain controller, you would not typically set this flag. It is ususally best to select domain objects from the domain scope rather than from the domain controller itself. Target Computer (optional) Allows you to specify where to execute this search via the text entry field below the check box. You can set the checkbox and set the field to a non-windows 2000 domain controller to see a list of machines that have joined that domain (The "Skip Target Domain Controller Check" should be unchecked in this scenario). If the "Target Computer" entry field is blank, the current machine is the target computer. ACTIVE DIRECTORY SCOPE OF PROVIDER SEARCH

69 Managing Systems 64 These options allow you to control which data source is to be used for your machine search. Generally, you can leave all of these options unchecked. Force Starting Scope as - Sets the first entry in the "Look in" drop down to the option selection. Normally the drop down will default to its own choice. Provider - These options are different data sources for searches. LOOK-IN OPTIONS Uplevel Joined Domain - Search the uplevel domain to which the target computer is joined. If this flag is set, you can use the "Uplevel Domain Controller" entry field to specify the name of a domain controller in the joined domain. Uplevel Domain Controller Field - This field can be blank even if the "Uplevel Joined Domain" is checked, in which case, the dialog box looks up the domain controller. This entry field enables you to name a specific domain controller in a multi-master domain. For example, an administrative application might make changes on a domain controller in a multi-master domain, and then open the object picker dialog box before the changes have been replicated on the other domain controllers. Downlevel Joined Domain Search the downlevel domain to which your computer is joined. Enterprise Domain Search all Windows 2000 domains in the enterprise to which the target computer belongs. If the Uplevel Joined Domain checkbox is set, then the results represent all Windows 2000 domains in the enterprise except the joined domain. External Uplevel Domain Search all uplevel domains external to the enterprise but trusted by the domain to which the target computer is joined. External Downlevel Domain Search all downlevel domains external to the enterprise but trusted by the domain to which the target computer is joined. Workgroup Search the workgroup to which the target computer is joined. Applies only if the target computer is not joined to a domain. User Entered Uplevel Scope Enables you to enter an uplevel scope. If neither of the "USER ENTERED " types is specified, the dialog box restricts you to the scopes in the "Look in" drop-down list. User Entered Downlevel Scope - Enables you to enter a downlevel scope. Add From IP Scanned Range This option will open up the IP Scanner to scan TCP/IP Address Ranges for systems that respond to your credentials. When you have defined your ranges and found systems, use the IP Scanner's export options to add systems to your groups.

70 Managing Systems 65 Import/Export Systems List There are three methods listed under this menu item to import or export systems lists: Import System List from Text File Import From Active Directory Export File Export System List to a Text File These methods make it easy to import systems lists from text files or Active Directory export files. An import will require you to have a previously created list of systems that is properly formatted (either created from Random Password Manager Enterprise Edition or elsewhere). Properly formatted text files of systems lists have one system name per line. Connecting to Systems When you try to perform an operation on a system, the account and credentails last used to successfully connect will be tried first. If there has been no previous successful connection to the system, the current logon account credentails are used. If the current logon credentails fail, then Random Password Manager Enterprise Edition will attempt to find a stored administrative account password to use for the target system. If the connection is still refused, then the alternate administrative credentails list will be tried (in order). Selecting Systems Select machines in the systems list by clicking on them. You can select multiple machines by Ctrl+Clicking on them. You can select a range of machines by selecting one and then shift-clicking on the last machine in the range. You can also use the drop list in the Managed Group dialog to select all systems, no systems, or the inverse of the current selection. Refresh Info This will gather the system information for all selected systems. There are multiple commands to refresh systems: Select the systems and press F5. Select nothing and press F5 (this will refresh all systems in the current managed group). Choose Refresh Selected System(s) from the View menu.

71 Managing Systems 66 Choose Refresh All Systems from the View menu. Choose Refresh from the context menu while a system is selected. Choose Refresh All machines from the context menu when no systems are selected.

72 Managing Systems 67 Setting Managed Group System Ranges Adding systems directly to a group is often inconvenient for networks that are dynamic. Rather than manually updating each managed group when the network configuration changes, you can use ranges to define the system list of a managed group. The system list for a group is the union of all systems that have been added manually and the systems found within the ranges. Because you can configure the group to update dynamically on a scheduled basis, the group will always keep itself in sync with the current network configuration. Managed Groups in Random Password Manager Enterprise Edition are considered Dynamic Groups because of this feature. To see a managed group's system inclusion ranges, select Edit Current System Set Properties from the SystemsList menu. To update the system list of the current active group, select 'Update Current System Set Now' from the SystemsList menu.

73 Managing Systems 68 Dynamic Group Memberships Dynamic Group Overview: A Dynamic Group is a group of machines that are all found within a range. The range can be any combination of IP address ranges, domains, and active directory containers. This range can be further customized by the use of explicit inclusion, explicit exclusions, and sets of filtering options. The following diagram illustrates the various different ranges that can all be used within a dynamic group. For this dynamic group, the system list will include systems found in all of these ranges.

74 Managing Systems 69 Dynamic group ranges are also re-scanned on a reoccurring (customizable) interval to add any new systems in the range to the group and release systems from the group that are no longer in the range. In the following diagram, you can see the flow of events in the cycle of a dynamic group. The purpose behind dynamic groups is to create a group that will dynamically update its system list to match the current state of the managed range, without having to manually add and remove systems when the network is reconfigured. By default, Dynamic groups are checked every 30 days for new systems in the network configuration and old systems which have lost contact are removed after 90 days of inactivity. An example of a dynamic group would be a dynamic group managing the domain MyDomain. After setting up the domain to be scanned every ten days in the options page, we scan the range and add all systems in the MyDomain to the systems list for the group. During the month, three systems are removed from the domain and four new systems are added. At the start of the next month you want to refresh info for all the systems on MyDomain. The Windows domain membership has changed, but the managed group will have syncronized automatically. The dynamic group has been scanning the domain for membership every 10 days and already has the current system list for MyDomain. To create a Dynamic Group click on "Add Dynamic Group" from the "Groups" menu in the Manage Groups dialog or select "Add Dynamic Group" from the context menu of the Manage Groups dialog. Each aspect of the dynamic group is described in the following sections. You must enter a unique name for a new group. The other available configuration options for dynamic groups are:

75 Managing Systems 70 A group comment. A range for the dynamic group using one or more of the following: Domains, IP Address Ranges, Active Directory Paths, and Data Sources. An Explicit Inclusions entries list for systems to be included that may be outside of the range. An Explicit Exclusion entries list for systems that will be in the range but to which you do not want to make changes. Filter Options to limit group membership to specific names of systems, operating system versions, or system types. Options to specify how often the range is scanned for new systems and under which conditions old systems should be removed from the group. Dynamic Group Name and Comment Shown below is the Name/Comment tab of the Dynamic Group sheet. This page allows you to specify a name for the dynamic group and an optional group comment. These group properties are identical to their simple group equivalents. You can use any characters you want to specify group names except "\\".

76 Managing Systems 71 Dynamic Group Domains Shown below is the Domains tab of the Dynamic Group sheet. Add new domains to the dynamic group range by clicking the box button in the upper-right of the list control. You can either manually enter the name of the domain, or browse for domain names using the "..." button. You can also specify a system to get a list of trusted domains. Dynamic Group IP Address Ranges Shown below is the IP Address Ranges tab of the Dynamic Group sheet. Add new IP Address ranges to the dynamic group range by clicking the box button in the upper-right of the list control. For help on how to specify IP Address ranges, see the IP Address Entries Section of the IP Scanner chapter. Any systems found within the IP range that authenticate will be included in the dynamic

77 Managing Systems 72 group. Only systems that respond are added to the group through the IP Scanner. Systems that are offline will not be added to the group through the IP Scanner. Dynamic Group Active Directory Paths Shown below is the Active Directory Paths tab of the Dynamic Group sheet. Add new Active Directory paths to the dynamic group range by clicking the box button in the upper-right of the list control. Systems found using these paths will be included in the dynamic group. Dynamic Group Data Sources Shown below is the Data Sources tab of the Dynamic Group sheet.

78 Managing Systems 73 From here, you can connect to ODBC data sources to get lists of systems for your group. To add queries to the list, click the box in the upper-right corner of the list. Add entries to this list using the following dialog: You must supply a properly formatted connection string for each datasource to which you wish to connectand a properly formatted query to return the desired system list. Each resulting row from the query is expected to contain one value, which is the name of a system to be included in the dynamic group. Dynamic Group Explicit Inclusions Shown below is the Explicit Inclusions tab of the Dynamic Group sheet. Using Explicit Inclusions, you can specify one or more systems by name that will be included in the dynamic group whether or not they are discovered by other means. Example: System PAT is added to the Explicit Inclusion list. The domains, IP address ranges, and Active Directory paths (which make up the dynamic group range) are scanned and the system PAT is not found. The system PAT is still added to the system list of the dynamic group. When the dynamic group is refreshed, the system PAT will not be removed from the group unless it has been removed from the Explicit Inclusions list (or placed on the Explicit Exclusions list). Systems placed on both the Explicit Inclusions list and Explicit Exclusions lists will be excluded from the group.

79 Managing Systems 74 Dynamic Group Explicit Exclusions Shown below is the Explicit Exclusions tab of the Dynamic Group sheet. Using Explicit Exclusions, you can specify a set of systems that will never be included in the dynamic group, even if they are within the discovery range. Use this option to prevent yourself from accidentally adding certain sensitive systems to the list, such as domain controllers or servers. Example: System SERVER is the domain controller for the domain MyDomain. We know that SERVER should not be managed using the tool, but it is part of the MyDomain domain, which is part of the dynamic group range. The system SERVER is added to the Explicit Exclusion list. When the dynamic group is refreshed, SERVER will be found in the MyDomain domain, but SERVER will not be added to the list of managed systems even though it is included within the domain. Subsequent refreshes of the dynamic group will not cause SERVER to be added to the list of managed systems until it is removed from the Explicit Exclusions list. Systems placed on both the Explicit Inclusions list and Explicit Exclusions lists will be excluded from the group.

80 Managing Systems 75 Dynamic Group Filter Options Shown below is the Filter Options page of the Dynamic Group sheet. Filter Options allows you to specify a system name filter string (when scanning for new systems), system type matching, and OS version matching. System names which do not match the filter will be excluded from the group. The filter string can include one or more "*" as wildcards for matching systems. You may not use "?" to specify a single character wildcard. Only system names which match all filter criteria will be included in the group, all other systems will be filtered out. Example: I want to manage all the systems that contain 'SALES', such as SALES1 and WORKSTATION_SALES. by specifying a filter of "*SALES*", I can filter all the systems in the range to just those systems to include in the group.

81 Managing Systems 76 Dynamic Group Options Shown below is the Options tab of the Dynamic Group sheet. These options handle the automatic removal of systems that are no longer part of the dynamic group. You can also adjust how often the program checks the range of the dynamic group for new systems to add to the group. If the Scheduled Update option is not checked, then you will manually refresh the dynamic group from within the Manage Service Group dialog by selecting "Update Dynamic Group" from the SystemList menu.

82 Managing Systems 77 Managing Multiple Managed Groups Initially, only the one 'Default' group will be created and all systems will be added directly to that group. You can create additional managed groups to represent different logical groupings of systems. Access to saved passwords on systems through the web interface is controlled through a system's membership to one or more managed groups. By granting a Windows group access to a program managed group, users who can use their existing Windows credentials to log into the web interface and will have access to stored passwords on all systems in the managed group. To view the list of current managed groups, select Manage System Sets from the SystemsList menu or click the Manage Systems Sets button in the middle of the dialog. Using this dialog, you can create or delete groups and change the current active managed group. The Auto create option allows you to quickly create a managed group for each OU in the current active directory. Groups created this way will be named according to their Distinguished Name in Active Directory and will contain all the systems that are contained in the OU. This option is only available if the system running the Win32 application is in an Active Directory domain.

83 78 Managing Passwords This chapter covers how to use Random Password Manager Enterprise Edition to change passwords on your systems, recover stored passwords from within the Win32 application, and schedule password changes to happen on an ongoing basis. Note: For password change jobs to occur on a scheduled basis, the deferred processor service must be installed and correctly configured. In This Chapter Overview and Goals...78 Creating a Password Change Job...79 Viewing Stored Passwords...81 Overview and Goals The primary goal of Random Password Manager Enterprise Edition is to make password changes very easy. The most common task that comes up is the need to change the local administrator account on a lot of machines on a regular basis. The interface has been designed with this specific task in mind. We also realize the local administrator account may have been renamed on one or more systems, so we have provided an option to change the local administrator account regardless of its current name. The structure of password change jobs are system based, rather than account based, which means it is very easy to change the same account on many systems at once with the same job. This choice also means that changing multiple accounts on the same system will require multiple jobs, one for each specific account. In most cases after jobs have been created, they will be set to run either once or indefinitely and will not require user interaction. The first step in changing a password requires you to select the systems to be included in the job. Once the systems have been selected, the name of the account to be changed needs to be entered. The account can be specified by name explicitly or can be set to one of the built-in account types. After the account is entered, the new password settings are supplied. The password for the account on all selected systems can be set to a static value or can be generated randomly in compliance with compatibility and complexity settings. Once the password settings are entered, the only remaining step is to set the schedule for the password update job. The scheduling option will dictate whether the job runs once, runs right away, runs at a later time, or runs on an ongoing basis.

84 Managing Passwords 79 Creating a Password Change Job To create a password change job, select one or more systems in the current managed group and click the 'Create new password change job' button in the middle of the dialog (the button shows a picture of a lock). The first step is identifying the account you want to change. You can either input the name of a specific account or choose the built-in administrator or guest accounts. If you choose a specific account and that account is not found on one or more of the selected systems, you can choose to add the account to those systems. If you choose to add the account to missing systems, you will need to specify the type of account to ensure it is placed in the correct local groups.

85 Managing Passwords 80 Once you choose the account to update, the next step is setting the password settings. You can choose to either set the account(s) to a static password or create a randomly generated password for each account. Both static passwords and randomly generated passwords are stored in the program database and can be viewed through the Win32 application and through the web interface. If you opt for a random password, there are a variety of options to tailor the password complexity and compatibility. After the password change settings have been entered, the next step is to set the scheduling options for this password change. The options for scheduling are immediately, one time, every hour, every day, every week, every month, or every year. Jobs that run immediately and jobs that run once will not be saved to run on a reoccurring basis. After setting the job schedule settings, select finish to schedule the job. If the job is scheduled to run immediately, the job will start running in the managed group dialog. If the job is scheduled to run later, you can check its scheduled status in the job monitor.

86 Managing Passwords 81 Viewing Stored Passwords Once passwords have been changed using Random Password Manager Enterprise Edition, you can view all the stored passwords by selecting View Stored Passwords from the View menu in the Managed Group dialog. Passwords can be exported from this view to a number of formats using the Report Generator (on page 89). Passwords can also be retrieved via the Web Interface (on page 40).

87 82 Deferred Processing Random Password Manager Enterprise Edition includes a service which installs onto the local system and provides support to run deferred jobs according to a schedule. This service also handles the automatic retry of failed operations. System list updates for dynamic groups are also done in the background by the deferred processor. Lastly, the service controls the automatic randomization of passwords after they are retrieved via the web-interface. The service (RouletteSked.exe) is installed and configured through the Win32 application. Once installed, the service will start when the computer boots. The service periodically polls the list of jobs for work to do and dispatches the deferred processor (RouletteProc.exe) to do work on any jobs that are past their run time. To view and edit scheduled jobs, use the Jobs Monitor. The Jobs Monitor can be accessed by selecting Jobs Monitor from the Deferred Processing menu in the Managed Group dialog. To change the retry settings for failed jobs, select Retry Settings from the Deferred Processing menu in the Managed Group Dialog. In This Chapter Jobs Monitor...83 Deferred Processor Service...84 Retry Settings...85

88 Deferred Processing 83 Jobs Monitor The Jobs Monitor shows all jobs that are scheduled to run and all failed jobs that will be retried. From the job list you can see the most recent status of each job is, the type of job, the systems associated with each job, and the scheduling/retry status of each job. From this dialog, you can also view the details of a job or delete a job. Note: Jobs can be scheduled and failed jobs can be put into a retry state without the deferred processing service being installed. However, any scheduled job will not run until the service is installed and started. The Deferred Processor menu allows you to start, stop, and configure the deferred processing service. Starting and stopping the service presumes previous installation. Installation settings are accessed through the configuration option. The Job Options menu holds two items: Hide Job Results and Retry Options. Hide Job Results is a toggle that determines whether or not you see the job results window when jobs complete. If you choose to hide the results window, the default failure options will occur for failed jobs automatically (auto-retry in most cases).

89 Deferred Processing 84 Deferred Processor Service Use the service configuration dialog to install, remove, start, stop, and change the settings of the deferred processor service. The service will need to be installed and running for any scheduled operation to happen (scheduled jobs, auto-retries, dynamic group updates, etc.). This dialog can be accessed through the Jobs Monitor or directly from the Managed group dialog (Background Processor details button).

90 Deferred Processing 85 The account used by the service will need to have local administrative rights on the system. The middle of the dialog shows the status of the deferred processor service. By default, the service is located in the same directory where the executable file was installed to. The path to the service file can be edited using the Browse button by the Service Path edit field. Make sure to stop and uninstall the service before changing the path. The log file for the service is also shown in the dialog. You can view, delete, print, or change the path of the log file using the Change Settings button. The log file for the scheduler is specific to the service and is not related to the program log file or each scheduled jobs' individual log file. The log entries in this log will refer to service starts, stops, job dispatches, and job exit codes. This log can be used to troubleshoot any problems that might come up with the deferred processor service (service failing to start, shutting down abnormally). Retry Settings These settings control how the Random Password Manager Enterprise Edition handles errors that occur while running jobs. The default settings are to retry jobs on failure every 10 minutes until successful. For various reasons the default settings may not meet the needs of a production environment. Using these settings, you can define your own retry policy for failed jobs and tailor it to your needs.

91 86 Alternate Administrators This feature allows you to specify additional sets of credentials which can be used to administer systems in multiple domain and workgroups. The program will automatically use the current login credentials or any of the alternate administrator credentials when it performs operations. When Alternate Administrators are enabled, it is normal to experience delays on some machines during operations because the program must wait for bad credentials to time-out before trying alternate credentials. To access the Alternate Administrators dialog, click the "Alternate Administrators Accounts" options from the "ConnectAs" menu. In This Chapter Administrator Accounts Editor...86 Administrator Accounts Editor Shown below is the Administrator Accounts Editor Dialog. The top list shows you the list of systems in the current group and any previous information recorded about the systems. The lower left of the dialog lists the alternate administrator accounts. The Status field

92 Alternate Administrators 87 shows the current status of any task that has begun and has not yet completed. The Active Threads box shows how many threads are working on the current task (zero when work is completed/no operation in progress). The progress bar is an approximation of task completion. The Current Logon Account is the account you are logged on as. You can edit the list of alternate administrator accounts by using the Administrator Accounts Editor menu option: ALTERNATE ADMINISTRATOR ACCOUNTS If you are going to edit and or delete one of the entries, first highlight an entry and use either the "Edit" or "Delete" menu option. To add a new alternate administrator, use the "Add" option (Also available through the Alternate Administrators menu item). These options are also available through the context menu (right-click menu) of the Alternate Administrators List. You can enter the name of your alternate administrator (use the "domain\account format" or "account" formats) by manual entry, or via the "Local" or "Domain" browse buttons. You can also use the substitution '%system%' to replace the system name for local account changes to multiple machines. For example: The local machine name is PAT, is a domain controller in domain DOMAIN, and has an account named CustomUser. The target machines each have local accounts named CustomUser, but also have the account DOMAIN\CustomUser. By specifying %system%\customuser, you are sure to specify the local CustomUser account on each machine, rather than the domain account DOMAIN\CustomUser account on each machine. TESTING ADMINISTRATOR ACCOUNT ACCESS Check the "Enable Alternate Administrators" checkbox to use all alternate credentials when accessing systems. To test access, highlight one or more systems (if none are selected, all systems in the list are tested for access) and click on the "Test Access " button (or go to the menu item Test Access Start). This test will tell you which systems are on-line in and which credentials worked with which systems. You can tell when the testing is completed by keeping an eye on the "Active Threads" field. When the thread count equals zero, all of the tests have been completed. The columns for "AdminID" and "AdminPwd" show which account/password provided administrator access to each remote system. If none of the entries worked, this will be reflected in the "Access Status" field. Lack of appropriate administrator credentials is shown by an error code of 5 - Access Denied. Other error codes (i.e. 53, 1722) usually indicate an off-line system.

93 Alternate Administrators 88 ENABLE ALTERNATE ADMINISTRATORS Normally you will use only your logon account. To have the program try alternates in case of problems authenticating, set the check box: Enable Alternate Administrators. REPORT GENERATOR - ALTERNATE ADMINISTRATORS You can export the results of an authentication test using the built in Report Generator (on page 89).

94 89 Report Generator The report generator feature allows you to generate reports from many places in the product. The report generator includes customizable HTML output, , and arbitrary post-generation program execution. Regardless of which list the report is being generated from, the report generator dialog (shown below) and functionality are the same. To create a report output file and launch an appropriate viewer for the file, click on the Generate Report button located at the bottom of the dialog. Normally, after you generate a report, the report dialog window will save its settings and close. You can prevent the dialog from closing after completing the generation of a report by setting the checkbox: "Do Not Close Dialog After Report Generation". You can save new dialog settings without generating a report by using the "Save Settings" button. Or you can abort the report generation by using "Cancel". The Export Data Columns list shows the columns in the list for which the report is being generated (in this case, the manage group list in the main window). You can change a column's output enable state by double-clicking on it. You can also check/uncheck all columns by using the "All" and "None" buttons to the right of the list.

95 Report Generator 90 The Export Status Columns section lets you add a status column to the output which indicates the rows in the source list box that were highlighted (selected). If this option is selected, the generated report will have an additional column; the new column rows that were selected will be labeled "Yes" and rows that were not selected will be labeled "No". The Limit Output to Rows with: option allows you to export only those rows that were highlighted in the previous list (requires the report to be run from a dialog with a list of items that are selectable). The No Column Headers option allows you to export just the results without including the data column header titles. The File Name box shows the file name for the generated report. You must have a valid output file for the report, even if you take no action based on the report. The extension of the file is automatically adjusted to be a valid extension based on the report type. You can overwrite the extension in the file name box if you wish. The Report File Output Type box allows you to set the type of the report. The report type options are comma delimited, tab delimited, fixed width (space padded to the fixed width), and HTML. You can edit the format of the HTML output in the HTML Edit Dialog (on page 91). The Post-Generation Action box shows the actions to be taken after the output file is generated. You can create the file only, which simply generates the output file. You can View or Print the report, which invoke the View or Print shell actions on the resulting report file (the actual program invoked to view or print is dependent on your shell settings for actions based on the extension of the report file). You can choose to execute an arbitrary program after the report is generated; use the "..." option to pull up the executable editing window. Finally, you can the resulting report file (inline or as an attachment); use "..." to pull up the Settings Dialog (see " Server Settings Overview" on page 93). If you have the "Show Dialog on Success" checkbox checked, the program will notify you with a dialog box when the report action is complete (this may be useful if the action produces no visible feedback itself). The program will always show a dialog box if an error occurs during the report generation/action. The Title field allows you to edit the title of the report; this is currently only output in HTML reports. The "Edit" setting pulls up a window which allows you to add replaceable report-specific variables to the report title. In This Chapter Report File Output Type...91 Post-Generation Action Server Settings Overview...93

96 Report Generator 91 Report File Output Type There are four file types that the Report Generator can generate: Comma Delimited - Column data is separated with a comma with the first row containing the column names. This can be read into a spreadsheet such as Excel. Tab Delimited - Similar to comma delimited except tab characters are used rather than commas. Fixed Column Width - This allows you to specify how wide each column is in characters. This is useful for fixed size viewing, printing, and some displays that may have limited space. Information that does not fit within the fixed size is truncated on generation. This format is useful for generating human readable output. HTML - Customizable HTML reports. HTML Edit Dialog This edit window, shown below, allows you to edit the format for the HTML report output. The HTML output template is set to the default template the first time the report generator is run, and you can always revert to the default template by pressing the "Default" button. You can have any number of template files for HTML reports. The file name editor lets you select which template file you are currently editing. The file menu lets you open or save templates. The current template file is shown in the template editing window, and can be edited directly. Alternatively, you can edit the template outside of the program in your favorite editor.

97 Report Generator 92 The top of the edit window shows the variables which you can use in your report that will be automatically populated with data specific to the actual report being generated. You can insert these variables into the template file at the current cursor position by using the "Insert" button, double-clicking the variable you wish to insert, or simply entering the variable name directly into the template. The look of the generated report data is controlled by several CSS style elements. The default template has default styles for these elements, but you can modify them as appropriate. The look of the report title elements is set directly in the HTML (which you can also modify). By modifying the style elements and HTML, you can generate whatever report templates are appropriate for your organization. Post-Generation Action The Report Generator allows you to perform actions when the generation of the report is complete. The following options are currently available: Create File Only - Only create the file. View - View the file using the default shell viewer based on the file extension. Print - Generate the report and use the default shell printing application based on the report file extension. Execute Program - Allows you to specify a program to be run upon the completion of report file generation. With this option, you must specify the path to the program and any additional command line arguments that you wish to run with the program. You can test the program as you configure it from the setup screen. - You may the report file in the body of an or as an attachment. You can specify a list of address that you wish to send the report to and append a custom subject line to the report.

98 Report Generator 93 Server Settings Overview This product includes send capabilities as a Report Generator (on page 89) output option. The product uses SMTP to send , and relies on the presence of an accessible SMTP server. The SMTP settings dialog allows you to configure the SMTP settings, which are then shared by all Lieberman Software products. The Destinations dialog is shown below. The destination list contains the addresses to send the report to after generation. The subject line has the subject for the report . The "Edit" button lets you edit the subject line and insert reportspecific replaceable variables. The "Settings" button pulls up the Settings dialog (see " Server Settings Overview" on page 93), which lets you enter the SMTP configuration information for your network. The Server "Settings" contains three parts: General SMTP Settings (see "SMTP Settings: General" on page 94) Outgoing Server Settings (see "SMTP Settings: Outgoing Server" on page 95) SMTP Logging (see "SMTP Settings: Logging Options" on page 96)

99 Report Generator 94 SMTP Settings: General The general settings page, shown below with the default information, contains the general settings for sending SMTP messages, including the name, organization, address, and reply address of the sender. Note: You should configure the sender information to be such that your outgoing SMTP server will accept messages from that sender, otherwise your messages may be dropped by the SMTP server. This page also allows you to configure serveral server settings: Message Priority Recipient Client Addresses Custom Message Headers Secure Delivery Status Notification Settings

100 Report Generator 95 SMTP Settings: Outgoing Server The outgoing server settings page allows you to set the configuration for the outgoing SMTP server. It is shown below with the default pre-populated settings, which you should set to the appropriate settings for your network. The outgoing server name should be set to an SMTP server. The default port for SMTP traffic is 25; change this if your server uses another port. Likewise, the default timeout should work for most servers; change this if necessary for your server. If your server requires authentication to send SMTP , you can enter the appropriate information in the authentication box. If you're server is using SLL, check the box to enable SSL encryption. Tip: As an administrator, you probably already know your SMTP server settings; but if not, you can always get them from your client program. Just pull up the settings for your account, and copy the settings into the SMTP configuration dialog. Note: Currently, the product only supports SMTP . If you use another protocol to send (for example, Microsoft Exchange), you will need to enable an outgoing SMTP server to send from within this program. You can also use the execute program option to send mail via a command line program. When you have entered all the information on this page and the General Settings Page (see " Server Settings Overview" on page 93), you can test the connection to the SMTP server by using the "Test These Settings" button. If the connection exists and the server allows a logon to send using the current settings, the product will confirm that everything is set up correctly. If the connection fails, adjust the settings and try again.

101 Report Generator 96 SMTP Settings: Logging Options The logging page lets you set the logging options for SMTP . Event logging tells the SMTP application to log events to the Windows event log. The log file logs communication transaction details while performing SMTP operations. The logging option is useful for debugging problems with SMTP traffic.

102 97 Help Information The Help menu contains some useful information including product versions, access to this manual, database connection info, license info, registration info, and current logon session information. In This Chapter License Keys...97 Registration...99 Database Configuration...99 Logon Info About License Keys The License Token Assignment dialog shows how many license tokens are currently in use and which systems those tokens are assigned to. Under normal operation, this dialog is not necessary. If the configuration of your network changes and some systems are replaced with others, you can use this feature to release license tokens from one or more of the obsolete systems and optionally manually license the new systems. Each system that is stored in the program's data store is listed on the left of the list. The "Licensed" column shows whether or not that system has a license token assigned to it. The "#Rekeys" column shows the number of times a license token has been removed from a specific system. Note: There is a limit to the maximum number of rekeys for each system before that system becomes locked out and can no longer be licensed. The "InAGroup" column shows whether or not the system is a current member of any managed group. Systems listed as abandoned are currently not members of managed groups. The "LastAccess" column shows the last time a specific system was successfully contacted.

103 Help Information 98 The button boxes show the number of abandoned systems, locked-out systems, and rekeyed systems. Abandoned systems are systems that are not members of managed groups. These systems may or may not be licensed. Locked-out systems are systems that have exceeded their rekey count and can no longer be assigned a license token. Rekeyed systems are systems that have had their license token removed and are no longer licensed, but can still have a license token assigned to them. There is also the maximum number of rekeys shown. The Maximum number of rekeys indicates how many times a license token can be removed from a system and re-licensed before it is locked out and can no longer be licensed. To manually remove a license token from a system, highlight the system in the list and click the "Release" button. This will remove the license token from the system, decrement the Tokens in Use count, and increment the total rekey count. The license column will show that the key has been removed and the system rekey count will not be incremented until the system is licensed again either manually or by performing an operation on it. To manually assign a license token to a system, highlight the system in the list and click the "Assign" button. The number of Tokens in use will increment by 1 and the license column will indicate that the system has been licensed.

104 Help Information 99 Registration The registration dialog allows you to enter customer and license information. This dialog is used to activate the commercial version from the demo version. The built-in demo key is included in the distribution. Upon purchase, our sales representative will send you your commercial key to enter here. You can also find your key here or input a new key if you purchase more licenses. The remote license feature is described in the program options section. The exit button quits the program. Database Configuration This dialog shows the settings which are being used to connect to the program database. These settings can be changed through the File -> Datastore Configuration options.

105 Help Information 100 Logon Info This dialog provides information about the current logon session. This information includes what the logon domain is, the operating system version, and the list of effective rights for the currently logged on user.

106 Help Information 101 About The About dialog shows the product version and serial number, as well as the product license information and our company contact information. If you need to find your serial number, it is listed here.

107 102 Program Options This section contains information about other program options that do not fall into a specific category or are not associated with a particular operation. Some examples include database connection settings and logging options. In This Chapter Logging Datastore Configuration Application Components Manage Web Application Remote Licensing Logging Before you begin using the product, you should examine the log file settings. The log file settings are on the "File" menu under "Logging". Depending on your needs, you may want to increase the level of logging performed by Random Password Manager Enterprise Edition to track changes or create records of operations (successes and error codes). By default, the log file will be created in the location recommended by Microsoft for application log files. If you prefer another location for log files, simply specify a new log file location/name using the '...' button. There are two thresholds of logging available: extended and normal. The extended (verbose) mode includes normal log information and information on the internal phases the product goes though while performing changes and logging. In normal operation extended logging is not necessary. The extended logging information is useful for debugging should it become necessary.

108 Program Options 103 The log file is always appended too. It is always safe to read/copy the log file when changes are not in progress. You may have to stop the program before removing the active log file. Log Statistics - By checking the Log Statistics check box, the log will receive the pre and post transaction counts for the following categories: users, groups and group memberships. This information will be logged to the log file. View - View the log in the Notepad text editor. Print - Print the log file. Delete - Delete the log file. Log Size - Displays the current size of the log file in bytes. Windows Event Log - These options tell the program to also log to the computer's Application Event log. The remote computer is the computer that is being changed by the program and the local machine is the machine that the program is running on. The Windows Application Event Log is a record of program activity and can be useful in tracking operations performed with Random Password Manager Enterprise Edition which would reflect changes to the network configuration or security. Datastore Configuration There are two methods to configure the data store used by Random Password Manager Enterprise Edition. The wizard is the easier. The wizard will provide you with a three step guide to setting up the connection to a database. As stated in the requirements, Random Password Manager Enterprise Edition requires an instance of SQL Server or MSDE. SQL Server does not have to run on the same machine, but must be accessible from the machine running Random Password Manager Enterprise Edition (connectivity and valid credentials).

109 Program Options 104 The first step is locating the machine the database is running on. The second step is providing credentials to connect to the database. The final step is choosing the specific database that you would like to use for the program data store. Note: The database must be pre-existing.

110 Program Options 105 The second method is a single page that allows you to enter all of this information at once. The advantage of the wizard is that you will be able to verify each piece as you progress through the steps. If the server is not available or the credentials are not valid, the wizard will not let you advance. The single dialog will also check for the same errors, but errors could be generated from any of the steps.

111 Program Options 106 Application Components This feature allows you to quickly check and verify that all the required components are installed and configured properly. The Overall Status window near the bottom of the dialog will alert you of any problems with application components. For each component in the drop list, you can see the name and path to the component, the description, status, and version information for that component. Use the '...' button to locate a missing component if it has been moved to a different location. You can also reset the path of each component to its default using the 'Reset' button. If you have changed the path to a component, make sure to click "Refresh" to get the most accurate version information for that component. Manage Web Application There are two methods of managing the installation of the web application, a simple wizard and a comprehensive dialog.

112 Program Options 107 The wizard will use default values for all non-required fields and install components to default locations on the local system. The wizard assumes that IIS is installed locally and that the COM+ is up and running. To complete the wizard, you will be asked to enter account credentials for the COM+ wrapper that the COM objects will be registered with. From the wizard you can also check to make sure that the local system will support the installation and/or open up the advanced options dialog. Once you Install the web application you can check it to ensure that it has installed correctly. The advanced options dialog exposes more of the settings for the web application installation. Using the advanced options you can choose to install the web application to the local system or to a target remote system. If you choose a remote system, check to ensure that the system is compatible (has IIS and COM+). The Web Files section allows you to configure the destination location of the ASP pages used by the web interface on the target system. You can choose to install the files to the root of the web server or create a new virtual directory on the web server that references the directory where the ASP pages will be

113 Program Options 108 copied to. By default, a new virtual directory is created named "RPMEEWeb" and any existing virtual directory with the same name is updated on the target web server to reflect the specific path. The DLL COM objects are copied into the system32 directory on the target system by default, but you can change the location if you wish. You will also need to supply credentials for the account that the COM+ wrapper will run as on the web server (this step is required in both the wizard and the advanced setup). Remote Licensing Multiple administrators can share a single license from multiple NT/2000/Server 2003/XP workstations. This option does not share group or system information (each group and system info is maintained locally). General application data is also not shared. This essentially means each instance of the install is a complete version which maintains its own separate program data. You will have to create groups and add systems to those groups for each different machine you want to run Random Password Manager Enterprise Edition on. If you need to transfer group information from one instance of Random Password Manager Enterprise Edition to another, use the Import/Export features for system lists. To enable the use of a shared license key, you must first have installed a commercial version of the software on one of your systems. Go to the registration screen and set the checkbox: "Use Remote License". You may choose to connect as an Alternate Administrator. Enter the name or browse to find the name of the machine that has the license. Enter the name of the licensed machine in the Remote Licensed Machine Name field. Finally, click on the "OK" button. Note: On the remote system, the account you are logged on as must have administrative credentials, otherwise it will not share the key with you. If you physically disconnect from the machine that contains the licensed key, you will not be able to use the software unless you return to local mode by unchecking the checkbox: "Use Remote License". IF YOU ARE PLANNING TO INSTALL THE SOFTWARE ON A LAPTOP OR MACHINES THAT CANNOT BE NETWORKED TOGETHER TO SHARE THE COMMERCIAL KEY, YOU WILL NEED TO OBTAIN A SEPARATE LICENSE KEY FOR EACH DISCONNECTED SYSTEM.

114 109 Index A About 101 Account Masks 43, 50 Add From Active Directory 62 Add From Domain Systems List 57 Add From IP Scanned Range 64 Add From Network Browse List 59 Add From Shell Network Browse List 60 Add Systems Manually 61 Add Systems to Group 57 Administrator Accounts Editor 86 Alternate Administrators 86 Application Components 106 B Background and Goals 3 Browse Options 62, 63 C COM Components 23 COM+ Identity Wrapper 22 Connecting to Systems 65 Copyright Notice 4 Creating a Password Change Job 79 D Database Configuration 99 Datastore Configuration 103 Deferred Processing 82 Deferred Processor Service 84 Delegation Configuration 26 Dynamic Group Active Directory Paths 72 Dynamic Group Data Sources 72 Dynamic Group Domains 71 Dynamic Group Explicit Exclusions 74 Dynamic Group Explicit Inclusions 73 Dynamic Group Filter Options 75 Dynamic Group IP Address Ranges 71 Dynamic Group Memberships 68 Dynamic Group Name and Comment 70 Dynamic Group Options 76 E Server Settings Overview 90, 93, 95 G Getting Started 28 Grant Users of a Windows Group 'Test Group' the Ability to Recover Passwords for the Default Group 34 H Help Information 97 HTML Edit Dialog 90, 91 I IIS and ASP Pages 18 Import/Export Systems List 65 Installation Requirements 5 Introduction 1 J Jobs Monitor 83 L License Agreement 1 License Keys 97 Limited Warranty 3 Logging 102 Login 41 Logon Info 100 M Manage Web Application 16, 106 Managed Group Access 50 Managed Group Dialog 53 Managed Group Dialog Menus 53 Managing Access 46 Managing Multiple Managed Groups 77 Managing Passwords 78 Managing Systems 52 MSDE Installation Manually 8

115 Index 110 MSDE Installation Using the Download Package 7 O Overview 1 Overview and Goals 78 P Password Recovery 41 Performance Notes 1 Port Requirements 6 Post-Generation Action 92 Pre-requisite Knowledge 6 Product Installation 5 Program Access 48 Program Options 102 R Random Password Manager Enterprise Edition Setup 12 Random Password Manager Installation 14 Randomizing the Local Administrator Password for Every System in the Domain 28 Recover a Password from a system in the 'Default' Group using the Web Interface 37 Refresh Info 65 Registration 99 Remote Licensing 108 Report File Output Type 91 Report Generator 81, 88, 89, 93 Retry Settings 85 S Schedule a Reoccurring Password Randomization 32 Selecting Systems 65 Setting Managed Group System Ranges 67 SMTP Settings General 93, 94 Logging Options 93, 96 Outgoing Server 93, 95 System List Columns 55 System Names and Name Resolution 55 System Status 44 V View Log 46 Viewing Stored Passwords 81 W Web Application Authentication and Delegation 25 Web Application Installation 16 Web Application Installation Advanced Options 17 Web Application Security 17 Web Interface 40, 81 Web Interface Installation 16