Defender Delegated Administration User Guide
2012 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com email: legal@quest.com Refer to our Web site for regional and international office information. TRADEMARKS Quest, Quest Software, the Quest Software logo, and Defender are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. For a complete list of Quest Software's trademarks, please see http://www.quest.com/legal/trademark-information.aspx. Other trademarks and registered trademarks are property of their respective owners. Disclaimer The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. Quest Defender Delegated Administration User Guide Updated - April 2012 Software Version - 5.7
Contents ABOUT THIS GUIDE................................ 5 QUEST ONE IDENTITY SOLUTION...................... 6 AUDIENCE AND SCOPE............................ 6 CONVENTIONS................................. 7 ABOUT QUEST SOFTWARE.......................... 8 CONTACTING QUEST SOFTWARE...................... 8 CONTACTING CUSTOMER SUPPORT.................. 8 CHAPTER 1 DELEGATED ADMINISTRATION.......................... 9 INTRODUCTION................................10 WHAT IS DEFENDER DELEGATED ADMINISTRATION?..........10 PRE-REQUISITES............................10 INSTALLING DEFENDER DELEGATED ADMINISTRATION.........11 CHAPTER 2 ADMINISTRATION ROLES.............................13 ROLES.....................................14 ADMINISTRATOR.............................14 BASIC HELPDESK............................15 PROVISIONING..............................15 ENHANCED HELPDESK.........................15 AUDITOR.................................16 SERVICE ACCOUNTS.............................16 DEFENDER SECURITY SERVER.....................16 DEFENDER TOKEN DEPLOYMENT SYSTEM..............16 iii
Defender Delegated Administration User Guide ADVANCED CONTROL.............................17 ASSIGN DEFENDER TOKEN......................17 PROGRAM DEFENDER TOKEN.....................17 RECOVER DEFENDER TOKEN.....................17 RESET DEFENDER TOKEN.......................18 SET AND CLEAR DEFENDER TOKEN S PIN.............18 ASSIGN DEFENDER TOKEN TEMPORARY RESPONSE........18 SET DEFENDER PASSWORD......................18 TEST DEFENDER TOKEN........................18 UNASSIGN DEFENDER TOKEN.....................18 RESET DEFENDER TOKEN VIOLATION COUNT...........18 MODIFY DEFENDER ID.........................18 SELECT POLICY.............................19 SELECT RADIUS PAYLOAD......................19 UPDATE DEFENDER USER LICENSE..................19 UPDATE DEFENDER TOKEN LICENSE.................19 FULL CONTROL................................20 DELEGATING ROLES.............................21 iv
About this Guide Quest One Identity Solution Conventions Audience and Scope Conventions About Quest Software Contacting Quest Software
Defender Delegated Administration User Guide Quest One Identity Solution Defender is a component of the Quest One Identity Solution, a set of enabling technologies, products, and integration that empowers organizations to simplify identity and access management by: Reducing the number of identities Automating identity administration Ensuring the security of identities Leveraging existing investments, including Microsoft Active Directory Quest One improves efficiency, enhances security and helps organizations achieve and maintain compliance by addressing identity and access management challenges as they relate to: Single sign-on Directory consolidation Provisioning Password management Strong authentication Privileged account management Audit and compliance. Audience and Scope This book is intended for administrators who want to use Defender Delegated Administration. This book does not provide tutorial information on the use of the Windows operating system or on network communication concepts. Users must have experience in using the specified operating system and an understanding of networking concepts. 6
About Conventions In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes, and cross-references. ELEMENT Select Bolded text courier text Italic text Bold Italic text Blue text CONVENTION This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons. Used to highlight installation questions and responses. File, daemon, utility, option, attribute names. Used for comments. Used for emphasis. Indicates a cross-reference. When viewed in Adobe Acrobat, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care. + A plus sign between two keystrokes means that you must press them at the same time. A pipe symbol (vertical bar) between elements means that you must select the elements in that particular sequence. \ The back slash, immediately followed by a new line, indicates a Unix command line continuation. <version>.<build number> References to the product version you are installing are displayed with <version>.<build number> in angle brackets. 7
Defender Delegated Administration User Guide About Quest Software Quest Software, Inc., a two-time winner of Microsoft s Global Independent Software Vendor Partner of the Year award, delivers innovative products that help organizations get more performance and productivity from their applications, databases Windows infrastructure and virtual environments. Through a deep expertise in IT operations and a continued focus on what works best, Quest helps more than 100,000 customers worldwide meet higher expectations for enterprise IT. Quest s Windows management solutions simplify, automate secure and extend Active Directory, Exchange Server, SharePoint, SQL Server,.NET and Windows Server as well as integrating Unix, Linux and Java into the managed environment. Quest Software can be found in offices around the globe and at www.quest.com. Contacting Quest Software Phone Email Mail 949.754.8000 (United States and Canada) info@quest.com Quest Software World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 Web site www.quest.com Please refer to our Web site for regional and international office information. Contacting Customer Support Quest Software's world-class support team is dedicated to ensuring successful product installation and use for all Quest Software solutions. 8 SupportLink www.quest.com/support Email at support@quest.com You can use SupportLink to do the following: Create, update, or view support requests Search the knowledge base Access FAQs Download patches
1 Delegated Administration Introduction What is Defender Delegated Administration? Installing Defender Delegated Administration 9
Defender Delegated Administration User Guide Introduction This guide describes how to use Defender Delegated Administration to create and manage users or groups with delegated administrative roles. What is Defender Delegated Administration? Defender Delegated Administration provides a scalable approach to the administration of access rights, enabling you to create and manage users or groups with delegated administrative roles. A simple configuration wizard enables system administrators to administer users and groups, and delegate the appropriate administrative roles. Pre-requisites The following pre-requisites need to be considered for the following components. Microsoft Visual C++ 2008 SP1 is required to install the Defender MMC Console (these are distributed on the Defender autorun CD) Microsoft.NET 3.5 SP1 or later is required to run the Defender Delegated Administration wizard. The Defender Administration console should be run with a Domain Admins account (or similar) with the rights to modify account permissions for other groups of users. To use the Defender Delegated Administration wizard you must have Microsoft.NET 3.5 SP1 or later installed. If you do not, you will not be able to run the wizard and a warning message will be displayed when you attempt to launch it. 10
Installation Installing Defender Delegated Administration The Defender Delegated Administration wizard is installed automatically when you install the Defender Administration console. To access Defender Delegated Administration, from the Defender menu, select Delegate Control. The Delegated Administration Wizard will start. The Defender Administration wizard only modifies permissions within your Active Directory for Defender attributes in the schema. It does not modify any standard Microsoft Active Directory permissions. 11
2 Administration Roles Roles Service Accounts Advanced Control Full Control Delegating Roles 13
Defender Delegated Administration User Guide Roles Roles are typically granted to groups of users, such as a helpdesk group of users. The available roles are: Administrator Defender Administrators can modify any Defender object and have complete control over the Defender configuration. This includes modification of all user based Defender items, such as: assign and unassign tokens set the Defender password set Defender PIN modify Access Nodes, Security Servers, Policies, Tokens and RADIUS Payloads manage Defender licenses. 14
Administration Roles Basic Helpdesk When this permission is granted, the user or group can: reset a Defender Token test a Defender Token via the Defender Console. reset a locked Defender token by resetting the Violation Count on the username Properties page. Provisioning When this permission is granted, the user or group can: assign a Defender token program a Defender token remove a Defender token from a user s account reset a Defender PIN. Enhanced Helpdesk When this permission is granted, the user or group can: assign a Defender token program a Defender token remove a Defender token reset a Defender token recover a Defender token test a Defender token reset a locked Defender token set a Defender PIN set Defender password assign a temporary token response. 15
Defender Delegated Administration User Guide Auditor When this permission is granted, the user or group have read-only access to: all Defender objects of Users and Groups all Defender attributes of Users and Groups. If one of the above roles alone does not provide the required level of authority, you can combine two or more roles. For example, you could combine the Basic Helpdesk role with a specific right from the Advanced Control menu, described below. Service Accounts Service accounts are created to provide the correct permissions for the following Defender components. Defender Security Server This will ensure that the service user account, used by the Defender Security Server to connect to Active Directory, has the required permissions. The account should be configured on the Defender Security Server Configuration dialog. Defender Token Deployment System This will ensure that the service user account, used by the Defender Token Deployment System to connect to Active Directory, has the required permissions. To do this perform the following steps: For Defender v5.5 and earlier, using the Defender Self Registration component: 1. Load Component Services. 16
Administration Roles 2. Navigate to Computer, My Computer, DCOM Config, Defender. 3. Right click Defender, then select Properties. 4. Select the Identify tab. 5. Modify the service account credentials. For Defender 5.6 and above, using the Defender Token Deployment System: Set the account on the Common Settings tab. For Defender 5.7 and later, using the Defender Management Portal System: Configure the account on the System Configuration \ Credentials tab. The permissions configured when applying the Token Deployment System service account are also suitable for user who require full access to Defender Reports. Advanced Control Assign Defender Token Assign a token to a user from the Defender Token OU or on the username Properties page. Program Defender Token Program a token on the username Properties page or from Program Token from the Defender tool bar menu. Recover Defender Token Recover a token from the username Properties page or right click on the token within the Token OU and then select recovery. Recover token applies to certain tokens types only. 17
Defender Delegated Administration User Guide Reset Defender Token Reset a token on the username Properties page or select the token within the Defender Token OU. Set and Clear Defender Token s PIN Add and remove a pin on a users token. This can be set on the username Properties page or on the token within the Defender Token OU. Assign Defender Token Temporary Response Set a helpdesk response on the username Properties page. Set Defender Password Set a Defender Password on the username Properties page. Test Defender Token Test a user s token response for a specific token and also optionally verify the PIN on the user s account. This can be tested on the username Properties page or on the token within the Defender Token OU. Unassign Defender Token Unassign a token on the username Properties page or by selecting the token within the Defender Token OU. Reset Defender Token Violation Count Reset the token violation count on the username Properties page or by selecting the token within the Defender Token OU. Modify Defender ID Set a Defender ID on the username Properties page. 18
Administration Roles Select Policy Select a Defender security policy. Select RADIUS Payload Select a RADIUS policy. Update Defender User License Required for assigning, unassigning and programming tokens, and is automatically assigned as required. However, you may need to grant this specific right in a multi domain environment depending on where your license is located. If the Update Defender User License right is not automatically assigned to the required user/group, run the Delegated Administration Wizard again, as described in Delegating Roles on page 21. Update Defender Token License Required for assigning, unassigning and programming tokens and is automatically assigned as required. However, you may need to grant this specific right in a multi domain environment depending on where your license is located. If the Update Defender Token License right is not automatically assigned to the required user/group, run the Delegated Administration Wizard again, as described in Delegating Roles on page 21. 19
Defender Delegated Administration User Guide Full Control The settings in this section grant the full permissions necessary to manage specific Defender objects, including the permissions to view or modify any of the object properties, create, delete, rename or move objects on a user or group. The available options are: Defender Access node full control Defender DSS full control Defender License full control Defender Policy full control Defender RADIUS Payload full control Defender Token full Control Defender Token License full control. 20
Administration Roles Delegating Roles To delegate administrative roles to a user or group, perform the following steps: 1. From the Defender menu, select Delegate Control: 2. The Defender Delegated Administration Wizard starts and the Users and Groups dialog is displayed: 21
Defender Delegated Administration User Guide 3. Click Add to specify the user or group to which you want to delegate administrative roles. The Select Users and Groups dialog is displayed: 4. Enter the names of the users or groups. 5. Click OK to continue. The Users and Groups dialog is displayed, showing your selected users and groups. 6. Click Next to continue. The Tasks to Delegate dialog is displayed: The Tasks to Delegate dialog includes the following sections: Roles Service Accounts Advanced Control Full Control. 22
Administration Roles Check the boxes adjacent to the administrative functions that you want to delegate to the selected user or group. 7. Click Next to continue. The User Locations dialog is displayed: 8. Click Add to specify the location of the users that will be managed by the user or group to which you have delegated the tasks. 9. Click OK to continue. The User Location dialog displays the selected locations. 23
Defender Delegated Administration User Guide 10. Click Next to continue. The Summary dialog is displayed: 11. Click Finish to complete the procedure. 24