Security Features in Written by Einar Mykletun, Ph.D. security and compliance architect for research and development at Dell Introduction Information system security is a priority for every organization, and the security level of third-party software solutions has become a differentiating factor for IT purchase decisions. Software strives to provide its customers with their desired level of security, whether it relates to privacy, authenticity and integrity of data, availability, or protection against malicious users and attacks. This document describes the security features of Password Manager. It reviews access control, customer data protection, secure network communication, and more. There is also an appendix that describes how s security features meet the NIST-recommended security standards as detailed in the Federal Information Security Management Act (FISMA). About Dell provides a simple, secure, selfservice solution that enables end users to reset forgotten passwords and unlock their accounts. It permits administrators to implement stronger password policies while reducing the help desk workload. Organizations no longer have to sacrifice security to reduce costs. accommodates the widest possible range of organizational needs and data security standards so organizations can implement secure data access policies beyond the control offered natively in Microsoft Active Directory. It increases security by reducing help desk errors, eliminating the need for users to write down passwords and making password guessing and break-ins more difficult.
Forgets password Locked out of account Manages passwords Help Desk Verify account Verify user identity Authenticate user Help desk Enforce enrollment Define questions Enforce corporate policies Enforce password history Define password policies Reset forgotten password secures all sensitive information by encrypting or hashing it. The following is considered sensitive information: credentials for service accounts and Q&A profile (answers) information. Security administrators Figure 1. Overview of. Security Features in ****134243 Monitor activity Investigate alerts The following sections describe security aspects of. ActiveRoles Server & Identity Manager Integration User account The user account under which Password Manager Service runs should be specified during installation. It will be used to access the managed domain and should be delegated the privileges listed in the Admin Guide document. Protection of sensitive data secures all sensitive information by encrypting or hashing it. The following is considered sensitive information: credentials for service accounts and Q&A profile (answers) information. This information is protected as follows: supports 192-bit TripleDES and 192-bit or 256-bit AES encryption algorithms. Credentials for service accounts are encrypted using selected encryption algorithm. Password Synchronization with Quick Connect Integration with Defender Integration with Enterprise Single Sign-on Manage password change Unlock account Log activity Alert of suspicious activity Q&A profile (answers) information is hashed with MD5 or encrypted using selected encryption algorithm. Encryption keys are generated during installation and are unique per customer. A random initialization vector (IV) is also created and used to provide randomization during encryption. The list of service accounts includes: Domain Account, SMTP service and Quick Connect service, SQL Server, Reporting service. By default, stores the encrypted hashes of the Q&A profiles (user answers) in the comment attribute of each user account. You can configure to use a different attribute if needed. Credentials for the service accounts are stored in an encrypted part of an XML file in the system Application Data or Program Data directory. Access to this file is protected with NTFS permissions. 2
uses the Microsoft Cryptographic API (CAPI) with the Microsoft AES Cryptographic Provider for its key generation, encryption, and hashing functionality. Authentication of users requires both regular and privileged users to authenticate themselves with their user name and password. doesn t perform the actual user authentication, but verifies the credentials against Active Directory. Password characters are replaced by asterisks as they are typed by a user during authentication. Access control supports role-based access control. You can use Active Directory groups to grant permissions for Help desk staff and end users. Logging maintains two types of logs: an application log and a personal log. Both are stored in the SQL Server database and protected by the database s access control policies. The application log records all actions performed by, including those by privileged and regular users. The logged events include timestamps and identifying information (who/what/when). Other user activity, such as successful and failed authentication attempts, password changes and resets, and unlocking of accounts, is also logged. The personal log records display actions performed by a administrator on a specific user account or question and answer profile. Secure network communication It is strongly recommended to enable HTTPS (SSL/TLS) on the server where is installed. This will ensure that all Web traffic between the user, Web browser and the Password Manager Web application is encrypted and authenticated. Enabling HTTPS may require the customer to create an HTTPS public key certificate (if one does not already exist for that server). Kerberos and NTLM are used to protect Active Directory Service Interfaces (ADSI), Lightweight Directory Access Protocol (LDAP), and Remote Procedure Call (RPC) communication. The outgoing mail server (SMTP) can be configured to use SSL to provide an encrypted connection to users when email alerts are sent. Open communication ports The following ports on the Password Manager server need to be opened: Web interface Administration site Port 80 (Default HTTP) TCP Inbound Port 443 (Default HTTPS) TCP Inbound/Outbound Port 8081 TCP Inbound/Outbound Port 25 (Default SMTP port) TCP Outbound Self-service and help desk sites Port 80 (Default HTTP) TCP Inbound Port 443 (Default HTTPS) TCP Inbound/Outbound Port 8081 TCP Inbound/Outbound Service Port 53 (Outgoing DNS lookups) UDP Outbound Port 88 (Kerberos Authentication) TCP/UDP Outbound Port 389 (LDAP Access) TCP/UDP Outbound Port 636 (LDAP Access) TCP Outbound Port 137 (NetBIOS Name Service) TCP Outbound Port 139 (NetBIOS Session Service) TCP Outbound SQL Server Port 1433 (SQL Server) TCP/UDP Outbound Port 1434 (SQL Server Browser Service) TCP/UDP Outbound Report Server Port 80 (SQL Server Report Services) TCP Outbound Email tification doesn t perform the actual user authentication, but verifies the credentials against Active Directory. Password characters are replaced by asterisks as they are typed by a user during authentication. 3
For Password Manager to run successfully, the Password Manager Service account must be a member of the Administrators group on the Web server where is installed. Port 25 (Default SMTP port) TCP Outbound Quick Connect Port 808TCP Outbound Secure Password Extension Port 80 (Default HTTP) TCP Outbound Port 88 (Kerberos Authentication) UDP Outbound Port 389 (LDAP Access) TCP Outbound Port 443 (Default HTTPS) TCP Outbound Accounts used in The following accounts are or can be used in : Service account Application pool identity Domain management account Password policy account Account for Quick Connect Service account Service account is used to install. For to run successfully, The Service account must be a member of the Administrators group on the Web server where is installed. Application pool identity Application pool identity is an account under which the application pool s worker process runs. The account you specify as the application pool identity during setup will be used to run Web sites. Application pool identity account must meet the following requirements: This account must be a member of the IIS_WPGlocal group on the Web server in IIS 6.0 or a member of the IIS_IUSRSlocal group on the Web server in IIS 7.0. This account must have permissions to create files in the < installation folder>\app_data folder. Domain management account Domain management account is an account under which Password Manager accesses a managed domain. The domain management account must meet the following minimum requirements to successfully perform password management tasks in the managed domain: Membership in the Domain Users group The Read permission for all attributes of user objects The Write permission for the following attributes of user objects: pwdlastset, comment, and useraccountcontrol The right to reset user passwords The Write permission to create user accounts in the Users container The Read permission for attributes of the organizationalunit object and domain objects The Write permission for the gplink attribute of the organizationalunit objects and domain objects The Read permission for the attributes of the container and serviceconnectionpoint objects in Group Policy containers The permission to create container objects in the System container The permission to create the serviceconnectionpoint objects in the System container The permission to delete the serviceconnectionpoint objects in the System container The Write permission for the keywords attribute of the service ConnectionPointobjects in the System container The Password policy account You can use to create password policies that define which passwords to reject or accept. The password policy account is an account that you specify when you add a domain for configuring password policies. The password policy account must meet the following minimum requirements: The Read permission for attributes of the grouppolicy Container objects. The Write permission to create and delete the grouppolicycontainer objects in the System Policies container. The Read permission for the ntsecuritydecriptor attribute of the group Policy Container objects. The permission to create and delete container and the serviceconnectionpoint 4
objects in Group Policy containers. The Read permission for the attributes of the container and service Connection Point objects in Group Policy containers. The Write permission for the service Binding Information and display Name attributes of the service Connection Point objects in Group Policy containers. The Write permission for the following attributes of the msds-passwordsettings object: msds-lockoutduration msds-lockoutthreshold msds-maximumpasswordage msds-minimumpasswordage msds-minimumpasswordlength msds PasswordComplexityEnabled msds-passwordhistorylength msds-passwordreversibleencryption msds-passwordsettingsprecedence msds-psoapplied msds-psoappliesto name Accounts for Quick Connect To enable to connect to Quick Connect and set passwords in connected data sources, the account used to access Quick Connect must be a member of the local administrators group on the Quick Connect server. Verification of user input verifies input provided by users prior to processing it. It checks for the correct data type (e.g., no numeric values in a text-only field) and the length of data. In addition, user passwords are masked by asterisks to prevent them from being displayed in clear text. email account in case of any unexpected events. The events are recorded in the application event log. Daylight Savings Time compliance will not be affected by the changes introduced by the Daylight Savings Time (DST) Extension (U.S. Energy Policy Act of 2005). It relies upon the operating system for time management and does not implement any special logic around DST settings. Customer measures The security features of Password Manager are only one part of a secure environment. The customer s operational and policy decisions have the greatest influence on the overall level of security. The customer is responsible for the physical security of the server on which is installed as well as the system network. Appendix A: and FISMA Compliance The Federal Information Security Management Act (FISMA) was passed by the U.S. Congress and signed by the president as part of the Electronic Government Act of 2002. It requires each federal agency to develop, document, and implement an agencywide program to provide information security for the information and information system that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. will not be affected by the changes introduced by the Daylight Savings Time (DST) Extension (U.S. Energy Policy Act of 2005). It relies upon the operating system for time management and does not implement any special logic around DST settings. Configuration parameters configuration parameters are stored in the system Application Data directory in an XML file. All sensitive data is stored in an encrypted part of the XML file. The XML contents are encrypted with 192-bit TripleDES. The XML file is protected with NTFS permissions. Alerting of Unexpected Events has the ability to send email notifications to a designated A major component of FISMA implementation is the publication by the National Institute of Standards and Technology (NIST), entitled Recommended Security Controls for Federal Information Systems, listed as NIST Special Publication 800-53. This document presents 17 general security categories that can be used to evaluate an information security to measure its level of compliance with FISMA. For this reason, this appendix offers the 17 5
The specification, selection and implementation of a successful security program depends on how the customer deploys, operates, and maintains its entire network and physical infrastructure, including Password Manager. categories listed in 800-53 and describes how addresses them. We would like to emphasize that the secure deployment of is only one part of an information security program. If the appendix states that a particular security category is applicable to, this means that contains security features that may be relevant to some or all aspects of the category in question. It NIST 800-53 Categories may not mean that fully meets all of the requirements described in that security category, or that the use of by itself will guarantee compliance with any information security standards or control programs. The specification, selection and implementation of a successful security program depends on how the customer deploys, operates, and maintains its entire network and physical infrastructure, including. Access Control (AC) Only privileged users can access and modify configuration parameters. Section(s) Access Control. Awareness and Training (AT) their security awareness and training policies. Audit and Accountability (AU) keeps an application log that records all transactions performed by both privileged and regular users, including timestamps and identifying information such as who/what/when. Section(s) Logging. Certification, Accreditation and Assessments (CA) their security assessment, accreditation and certification policies. 6
Configuration Management (CM) Configuration changes to can only be made by privileged users. The communication ports used by are restricted and only administrators can configured them. There are a specific set of privileges required by accounts. Section(s) Open Communication Ports, Accounts Used in. Contingency Planning (CP) systems are responsible for designing and implementing their own contingency plans. As defined by NIST (publication 800-34), disruptive events to IT systems include power-outages, fire and equipment damage, and can be caused by natural disasters or terrorist actions. Identification and Authentication (IA) enforces identification and authentication through password protected user accounts. Only authorized users, who are authenticated through Active Directory, can log on via the Web application. Section(s) Authentication of Users. Incident Response (IR) their incident response policies and procedures. 7
Maintenance (MA) Dell Software will make patches available in a timely manner if problems are discovered in. Media Protection (MP) their own media protection policies. Physical and Environmental Protection (PE) their own physical and environmental policies. Planning (PL) their security planning policies. Personnel Security (PS) systems are responsible for enforcing personnel security policies, including personnel screening and termination. 8
Risk Assessment (RA) their own risk assessment policies. System and Services Acquisition (SA) their own system and services acquisition policies. System and Communications Protection (SC) To secure network communication with its users, the Web application supports the use of SSL. Kerberos and NTLM Authentication are used to protect Active Directory Service Interfaces, LDAP, and remote procedure calls. Sensitive data is encrypted with 192-bit TripleDES. Access is only required to necessary communication ports. Section(s) Protection of Sensitive Data, Secure Network Communication, Open Communication Ports. System and Information Integrity (SI) must run under a user account with specific privileges. User input provided through the Web application is verified to protect against faulty input and potential attacks. Section(s) Accounts Used in, Verification of User Input. 9
For More Information 2012 Dell, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Dell, Inc. ( Dell ). Dell, Dell Software, the Dell Software logo and products as identified in this document are registered trademarks of Dell, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners. The information in this document is provided in connection with Dell products. license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT AS SET FORTH IN DELL S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document. About Dell Software Dell Software helps customers unlock greater potential through the power of technology delivering scalable, affordable and simple-to-use solutions that simplify IT and mitigate risk. The Dell Software portfolio addresses five key areas of customer needs: data center and cloud management, information management, mobile workforce management, security and data protection. This software, when combined with Dell hardware and services, drives unmatched efficiency and productivity to accelerate business results. www.dellsoftware.com. If you have any questions regarding your potential use of this material, contact: Dell Software 5 Polaris Way Aliso Viejo, CA 92656 www.dellsoftware.com Refer to our Web site for regional and international office information. TechBrief-Security4PasswordMgr-US-KS-2013-10-29