Understanding and Configuring Password Manager for Maximum Benefits



Similar documents
Security Features in Password Manager

formerly Help Desk Authority Upgrade Guide

Dell One Identity Cloud Access Manager Installation Guide

Top 10 Most Popular Reports in Enterprise Reporter

Dell Statistica. Statistica Document Management System (SDMS) Requirements

Identity and Access Management for the Cloud

Dell Statistica Statistica Enterprise Installation Instructions

Dell One Identity Cloud Access Manager How to Configure vworkspace Integration

Understanding Enterprise Cloud Governance

Logging and Alerting for the Cloud

Dell InTrust Preparing for Auditing and Monitoring Microsoft IIS

Managing the Risk of Privileged Accounts and Privileged Passwords in Civilian Agencies

AD Self-Service Suite for Active Directory

Dell One Identity Manager Scalability and Performance

Quest vworkspace. System Requirements. Version 7.2 MR1

Desktop Authority vs. Group Policy Preferences

Dell Spotlight on Active Directory Deployment Guide

Dell One Identity Cloud Access Manager How to Configure for High Availability

How to Deploy Models using Statistica SVB Nodes

Dell Recovery Manager for Active Directory 8.6. Quick Start Guide

Dell One Identity Cloud Access Manager How To Deploy Cloud Access Manager in a Virtual Private Cloud

About Recovery Manager for Active

Enterprise Reporter Report Library

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Dell Client Profile Updating Utility 5.5.6

Defender Delegated Administration. User Guide

formerly Help Desk Authority HDAccess Administrator Guide

Spotlight Management Pack for SCOM

New Features and Enhancements

Dell Unified Communications Command Suite - Diagnostics 8.0. Data Recorder User Guide

Data center and cloud management. Enabling data center modernization and IT transformation while simplifying IT management

Quest vworkspace Virtual Desktop Extensions for Linux

Dell Spotlight on Active Directory Server Health Wizard Configuration Guide

Enterprise Self Service Quick start Guide

formerly Help Desk Authority HDAccess User Manual

Dell Enterprise Reporter 2.5. Configuration Manager User Guide

Dell One Identity Manager 7.0. Help Desk Module Administration Guide

formerly Help Desk Authority Quest Free Network Tools User Manual

ChangeAuditor 5.6. For Windows File Servers Event Reference Guide

Dell One Identity Cloud Access Manager SonicWALL Integration Overview

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Security Analytics Engine 1.0. Help Desk User Guide

Hybrid Cloud Computing

Dell Statistica Document Management System (SDMS) Installation Instructions

Dell InTrust Preparing for Auditing Cisco PIX Firewall

Dell InTrust Preparing for Auditing Microsoft SQL Server

4.0. Offline Folder Wizard. User Guide

Web Portal Installation Guide 5.0

Active Directory Change Notifier Quick Start Guide

Quest SQL Optimizer 6.5. for SQL Server. Installation Guide

ChangeAuditor 6.0 For Windows File Servers. Event Reference Guide

Object Level Authentication

Quest Collaboration Services How it Works Guide

Quest ChangeAuditor 4.8

System Requirements and Platform Support Guide

NETWRIX IDENTITY MANAGEMENT SUITE

Best Practices for an Active Directory Migration

Spotlight on Messaging. Evaluator s Guide

Quest Collaboration Services 3.5. How it Works Guide

SharePlex for SQL Server

Sage HRMS 2014 Sage Employee Self Service

Navigating the NIST Cybersecurity Framework

Eight Ways Better Software Deployment and Management Can Save You Money

Dell InTrust 11.0 Best Practices Report Pack

Ensuring High Availability for Critical Systems and Applications

Using Self Certified SSL Certificates. Paul Fisher. Quest Software. Systems Consultant. Desktop Virtualisation Group

Go beyond basic up/down monitoring

How To Use Shareplex

Dell vworkspace Supports Higher Education s Desktop Virtualization Needs

Governed Migration using Dell One Identity Manager

Getting the Most From. Your Help Desk

Managing the Risk of Privileged Accounts and Privileged Passwords in Defense Organizations

Quick Connect Express for Active Directory

Cloud Identity Management Tool Quick Start Guide

Solving the Security Puzzle

Enterprise Manager. Version 6.2. Installation Guide

Defender 5.7. Remote Access User Guide

Dell NetVault Backup Plug-in for Advanced Encryption 2.2. User s Guide

Introduction to Version Control in

Dell One Identity Quick Connect for Cloud Services 3.6.0

Dell One Identity Quick Connect for Cloud Services 3.6.1

Best Practices for Secure Mobile Access

Spotlight Management Pack for SCOM

Administrators Help Manual

FOR WINDOWS FILE SERVERS

2007 Quest Software, Inc. ALL RIGHTS RESERVED. TRADEMARKS. Disclaimer

Dell Recovery Manager for Active Directory 8.6.0

10 easy steps to secure your retail network

6.7. Quick Start Guide

Dell Directory Analyzer Installation Guide

DevOps for the Cloud. Achieving agility throughout the application lifecycle. The business imperative of agility

Active Directory Reporter Quick start Guide

Dell Recovery Manager for Active Directory 8.6. Deployment Guide

Simplify Your Migrations and Upgrades. Part 1: Avoiding risk, downtime and long hours

Quest ChangeAuditor 5.1 FOR ACTIVE DIRECTORY. User Guide

Types of cyber-attacks. And how to prevent them

Proactive Performance Management for Enterprise Databases

Organized, Hybridized Network Monitoring

Reverse Proxy Three Myths Busted

Transcription:

Understanding and Configuring Password Manager for Maximum Benefits Written by Chris Radband, senior professional services consultant, Dell Software Introduction About Password Manager The pain of password management the single most common support issue is becoming more pervasive. The need to require more complex passwords that must be changed more frequently increases the likelihood that users will forget their passwords. As a result, increasing security often also increases support costs. Password Manager provides a simple, secure set of password management utilities that allows end users to reset forgotten passwords and unlock their user accounts themselves. Therefore, administrators can implement stronger password policies while reducing help-desk workload. Password Manager accommodates the widest possible range of organization requirements and data security standards.

Dell Password Manager, a part of the Dell One Identity products from Dell Software, enables users to securely reset forgotten passwords and unlock their accounts themselves, so administrators can implement stronger password policies without adding to the help-desk workload. This technical brief describes Password Manager s system requirements and logical architecture, and discusses key configuration decisions to help you derive maximum value from the solution. Benefits Password Manager offers the following benefits: Reduced costs Enabling users to reset their own passwords reduces help-desk workload and related support costs. Users who forget their passwords can get back to work faster, with less frustration, which curbs productivity losses. Increased security When users know they can reset their own passwords, they are less likely to write them down. Enabling stronger password policy makes password guessing and break-ins more difficult. Streamlined administration Password policies are easy to implement and enforce. Administrators can easily track and report on all password reset activity. Administrators have granular control over password policy in Windows 2008 at a per-group level rather than for the entire domain. Ease of use Password resets are easy through an optional Graphical Identification and Authentication DLL (GINA) extension. Forgets password Locked out of account Manages passwords Help Desk Verify account Verify user identity Authenticate user Help desk Enforce enrollment Define questions Enforce corporate policies Enforce password history Define password policies Reset forgotten password Monitor activity Manage password change Security administrators Investigate alerts ActiveRoles Server & Identity Manager Integration Password Synchronization with Quick Connect Unlock account Log activity Alert of suspicious activity Integration with Defender ****134243 Integration with Enterprise Single Sign-on Figure 1. Password Manager enhances security and reduces costs by enabling users to reset their own passwords. 2

System requirements Basic requirements Platform Memory 800 MHz or higher Intel Pentium-compatible CPU (Quad core recommended) At least 128 MB RAM (256 MB recommended) (4+ GB recommended) Hard disk space 100 MB ( 20 GB recommended ) Operating system Internet Information Server One of the following: Microsoft Windows Server 2003 (32-bit edition) with Service Pack 1 or later Microsoft Windows Server 2003 (64-bit edition) with Service Pack 1 or later Microsoft Windows Server 2008 (32-bit edition) with Service Pack 1 Microsoft Windows Server 2008 (64-bit edition) with Service Pack 1 Microsoft Windows Server 2008 R2 (recommended) Microsoft Windows Server 2012 One of the following: Microsoft Internet Information Server 6.0 Microsoft Internet Information Server 7.0 Microsoft Internet Information Server 7.5 Microsoft Internet Information Server 8.0 It is strongly recommended that you use HTTPS with Password Manager. For more information, see the Quick Start Guide. Browser Microsoft Internet Explorer 6.0, 7.0, 8.0, 9.0 or 10.0 SQL Server Microsoft.NET Framework Acrobat Reader One of the following: Microsoft SQL Server 2005 Microsoft SQL Server 2008 Microsoft SQL Server 2008 R2 (recommended) Microsoft SQL Server 2012 Report definitions included with Password Manager 4.7 are designed to support the functionality of Microsoft SQL Server 2005 Reporting Services and Microsoft SQL Server 2008 Reporting Services. Note: If SQL is to be hosted on the Password Manager server, these specifications should be increased. Microsoft.NET Framework 3.5 SP1 Microsoft.NET Framework 3.5 SP1 is included with the Password Manager distribution package. You must install.net Framework 3.5 SP1 before you install Password Manager. Acrobat Reader 5.0 or later Acrobat Reader 7.0 is included with the Password Manager distribution package. Password Manager works with Windows 2000, 2003 and 2008 domains, including domains operating in a mixed mode. Client requirements Ensure that each client computer meets the following minimum software requirements: Client requirements Browser One of the following: Microsoft Internet Explorer 6.0, 7.0, 8.0 or 9.0 Mozilla Firefox 3 Apple Safari 5 Google Chrome 7 3

Domain controller requirements To be able to implement password policies in an Active Directory domain managed by Password Manager, you must deploy the Password Policy Manager component on all domain controllers in the managed domain. The domain controllers where you plan to install the 32-bit or 64 bit-version of Password Policy Manager component must meet the following requirements: Domain controller requirements Operating system One of the following: Microsoft Windows 2000 Service Pack 4 Microsoft Windows Server 2003 (32-bit or 64-bit edition) Microsoft Windows Server 2008 (32-bit or 64-bit edition) Microsoft Windows Server 2008 R2 Hard disk space 5 MB of free hard disk space Target computer requirements To allow password resets from the Windows logon screen, you must deploy the Secure Password Extension on all target computers in the managed domain. The target computers must meet the following minimum software requirements: Target computer requirements Operating system One of the following: Microsoft Windows 2000 Server Service Pack 4 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows 2000 Professional Service Pack 4 Microsoft Windows XP Professional Service Pack 2 or later Microsoft Windows Vista Microsoft Windows 7 Browser Microsoft Internet Explorer 6.0, 7.0, 8.0 or 9.0 We do not recommend use of any plug-ins for Microsoft Internet Explorer on computers where you plan to deploy Secure Password Extension, since the plug-ins extend Internet Explorer functionality and could pose security threats. SQL sizing Database size estimation is based upon the number of records stored. An estimation of size can be generated using the following information and is primarily based upon user count: Generic user activity (such as enroll, password reset or unlock database) per 1000 users is estimated at less than 3 5 MB. For example, if password reset rate is 10 per day, then database growth will be in the region of 30 50k per day, or about 1 1.5 MB per month. Reporting data is also stored in the database. No sizing estimate is available, but this is expected to be less than the user activity estimates above. For more information, see Dell Support Solution 21284. 4

LAN DMZ External Active Directory Internal firewall E-mail Port 25 SMTP External firewall SQL reporting services QPM/IIS server Internet SQL Server QPM traffic 53-DNS 80-HTTP 88-Kerberos 139-NetBios 443-HTTPS 445-MS DS 636-S/LDAP 3266-AD GC 1433-SQ HTTPS 443-HTTPS Figure 2. Logical architecture Logical architecture Placement of the Password Manager server (which hosts IIS) and the SQL components (which can alternatively be hosted on the Password Manager server) is shown in Figure 2. Firewall ports Hosting Password Manager in the DMZ requires ports to be open into the LAN, as shown in Figure 3. LAN DMZ External QPM traffic HTTPS Active Directory Internal firewall IIS QPM External firewall Internet Open firewall ports: 53-DNS 80-HTTP 88-Kerberos 139-NetBios* 389-LDAP* 443-HTTPS 445-MS DS* 636-S/LDAP 3266-AD GC Open firewall ports: 443-HTTPS * All communications through http port 80 can use https port 443. ** SQL connection uses a dynamic port (TCP 1816 SQL TCP Dynamic Port, to SQL) which is selected by SQL. Figure 3. Firewall ports 5

Several processes participate in communications. Some of them directly belong to Password Manager, and some are helpers used by Password Manager. Password Manager Server (Add Domain\Create QA profile\change Password\Reset Password) Svhost.exe in TCP 80 (HTTP) Lsass.exe out UDP 53 (DNS) W3wp.exe out UDP 53 (DNS) W3wp.exe out UDP 389(LDAP) to DC W3wp.exe out TCP 389(LDAP) to DC W3wp.exe out TCP 636(LDAPS) to DC Lsass.exe out TCP 88 (Kerberos) to DC Lsass.exe out UDP 88 (Kerberos) to DC QPMSERVICE.exe out UDP 389(LDAP) to DC QPMSERVICE.exe out TCP 389(LDAP) to DC Svhost.exe out ICMP SQL connection W3wp.exe out UDP 1434 (SQL) to SQL W3wp.exe out TCP 1816 (SQL TCP Dynamic Port) to SQL QPMSERVICE.exe out TCP 1816 (SQL TCP Dynamic Port) to SQL Report Server W3wp.exe out TCP 80 (HTTP) to Report Server Email W3wp.exe out TCP 25 (SMTP) to SMTP server QPMSERVICE.exe TCP 25 (SMTP) to SMTP server Secure Password Extension (SPE) Winlogon.exe out TCP 389(LDAP) to DC LSASS out UDP 88 (Kerberos) to DC SPEnroll.exe out TCP 389(LDAP) to DC Winlogon.exe out TCP 80 (HTTP) to QPM host SPEHtml.exe out TCP 80 (HTTP) to QPM host For more information For more information about the ports used by Password Manager, see Dell Support Solution 61085. Service account requirements Password Manager service account When you install Password Manager, you are prompted for the name and password of the Password Manager service account. For Password Manager to run successfully, the Password Manager service account must meet the following requirements: You need to add the Password Manager service account to the Administrators group on the web server where Password Manager is installed. In IIS 6.0, the Password Manager service account must be a member of the IIS_WPG local group on the web server. In IIS 7.0, Password Manager service account must be a member of the IIS_IUSRS local group on the web server. Permissions to access a managed domain Usually, the Password Manager service account is used both to run the service and to access managed domains. In that case, the following permissions are required by the service account: Membership in the Domain Users group Read permission for all attributes of user objects Write permission for the following attributes of user objects: pwdlastset, comment, and useraccountcontrol The right to reset user passwords Write permission to create user accounts in the Users container Read permission for attributes of the organizationalunit object and domain objects Write permission for the gplink attribute of the organizationalunit objects and domain objects Read permission for attributes of the grouppolicycontainer objects Write permission to create and delete the grouppolicycontainer objects in the System Policies container Read permission for the ntsecuritydecriptor attribute of the grouppolicycontainer objects The permission to create and delete container and the serviceconnectionpoint objects in Group Policy containers 6

Read permission for the attributes of the container and serviceconnectionpoint objects in Group Policy containers Write permission for the servicebindinginformation and displayname attributes of the serviceconnectionpoint objects in Group Policy containers The permission to create container objects in the System container The permission to create the serviceconnectionpoint objects in the System container The permission to delete the serviceconnectionpoint objects in the System container Write permission for the keywords attribute of the serviceconnectionpoint objects in the System container Configuration design decisions Note that the following configurations are common but not definitive. Managed domains General logon security options Configure logon security options as shown in Figure 4. The lockout conditions configured in Password Manager should be in line with user account policy. Groups Use the following groups to manage access to Password Manager and mail notifications, and to enable phased rollout and registration: Groups allowed to access the Password Manager Self-Service site Groups denied access to the Password Manager Self-Service site Groups allowed to receive registration notifications Groups denied receiving registration notifications Groups allowed to receive password expiration notification Groups denied receiving password expiration notification Challenge questions A project is currently underway to define the questions users will have to answer for registration or password resets. To register, a user should have to answer 5 6 questions from a list of 15 20 questions. To reset the password or unlock the account, a user should have to answer 2 3 questions. Q&A policy Configure Q&A policy as shown in Figure 6. The minimum answer length depends somewhat upon the question list. Figure 4. Logon security options 7

Figure 5. Configuring the number of questions required to register, reset a password, or unlock an account Figure 6. Configuring the Q&A policy 8

Figure 7. Configuring enforcement of Q&A profile policy Enforcement of Q&A profile policy The settings for user enforcement are illustrated in Figure 7 Settings Self-service site The common configuration of the self-service site is illustrated in Figure 8. Days to notify before password expires: 10 Figure 8. Configuring the self-service site 9

Figure 9. Configuring the help desk site Help desk site The usual configuration of the help desk site is shown in Figure 9. Profile update policy Figure 10 shows how the profile update policy is commonly configured. To minimize profile update requirements, ensure that the Q&A policy definition is correct before rolling it out to the entire user base. Reporting and logging A SQL Server and a SQL Server Reporting Services instance are required. Notification Notification is usually disabled other than for troubleshooting or other special purposes. The available settings are illustrated in Figure 11. Figure 10. Configuring the profile update policy 10

Figure 11. Configuring notifications Customization Website and logo The look and feel of the website can be modified; it is common to customize the logos. More details can be found in Dell Support Solution 61098. Disaster recovery Backing up the domain controllers Password Manager stores all important information in Active Directory, so as long as there is a valid backup of the domain controllers, the Password Manager Q&A profiles will be recoverable. Recovering data for individual users will be much easier if you have Dell Recovery Manager for Active Directory. Backing up the audit database, if desired Password Manager uses a database, DDSLogSubsystem, to store auditing information, such as who has reset a password. If this information is needed in your organization, back up the database. A backup of the local.spr file is also recommended. For more information For more information about disaster recovery, see Dell Support Solution 31859. Backing up the encryption key Another requirement is to have a backup copy of the encryption key. By default, this key is stored on the Password Manager server at: C:\Program Files\Quest Software\Quest One Password Manager\QPMEnckey.bin 11

For More Information 2013 Dell, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Dell, Inc. ( Dell ). Dell, Dell Software, the Dell Software logo and products as identified in this document are registered trademarks of Dell, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners. The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT AS SET FORTH IN DELL S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document. About Dell Software Dell Software helps customers unlock greater potential through the power of technology delivering scalable, affordable and simple-to-use solutions that simplify IT and mitigate risk. The Dell Software portfolio addresses five key areas of customer needs: data center and cloud management, information management, mobile workforce management, security and data protection. This software, when combined with Dell hardware and services, drives unmatched efficiency and productivity to accelerate business results. www.dellsoftware.com. If you have any questions regarding your potential use of this material, contact: Dell Software 5 Polaris Way Aliso Viejo, CA 92656 www.dellsoftware.com Refer to our Web site for regional and international office information. 12 TechBrief-ConfigQ1PMmaxBene-US-VG-2013-11-20

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information