Welcome to QuestDrive Quest Defender This document will guide you through experiencing Quest Defender as a user, a Helpdesk user, a Helpdesk Administrator and a Defender administrator, using a self-contained, working, virtual Defender installation. See below for an introduction to Quest Defender, and then follow the step-by-step instructions to experience each user scenario. What is Quest Defender? Quest Defender enhances security by enabling two-factor authentication to network, Web, and applications-based resources in your enterprise. Without Defender, users typically authenticate to these resources using just a password with Defender, a token can be used, such as the Defender itoken shown below, to provide a higher level of authentication. Quest Defender forms part of the Quest One Identity Solution, simplifying identity and access management.
Defender tokens As described on the previous page, Defender tokens are used instead of or as well as a password to provide a higher level of authentication to resources. A wide range of tokens are available: hardware tokens, eg, the Go-6 token software tokens that can be installed on a user s corporate desktop or hand-held device, eg iphone Web-based tokens, eg the Defender GrIDsure token For the practical purposes of these demonstrations, we will use a simulated display of a Defender software token installed on a user s iphone this token is called the Quest itoken. Page 2
Experience Defender using QuestDrive This QuestDrive demonstration will guide you through: an end-user s experience of Defender: o o o authenticating to a secured web site using a Defender token using a Defender token to reset a password via Quest Password Manager requesting a token using the web-based Defender Token Deployment System a Defender administrator s experience of Defender, including: o o o o o o o a walk through introduction to Defender configuration held in Active Directory quickly assign the appropriate permissions to a Defender service account testing connectivity between the Defender Security Server and Active Directory using Defender Reports to view today s authentication activity using PowerShell Management for Defender to list tokens per user using the Quest ActiveRoles Server console to modify a Defender token policy an introduction to Defender Token Deployment System administration a basic Helpdesk user s experience of Defender, using Active Directory Users & Computers to assign a temporary token response for a user a Helpdesk administrator's experience of Defender, using Quest ActiveRoles Server to set up a Defender token for a user via the ActiveRoles Web interface. Page 3
an end-user experience Page 4
Authenticating using a Defender token In this session, you will take the role of an end-user, to experience authenticating to a secure web page using a Defender token. You will be authenticating using a Defender itoken, as shown in the picture below, to gain secure access to your web application. All token responses used in this document are examples. In this setup, we are using Quest Webthority behind the scenes, to prompt you for Defender authentication when you try to access the application. You are now ready to start the demonstration follow the instructions on the next page. Page 5
You will be authenticating as a user called Demo, using a Defender itoken, to access a secure website, http://myprotectedapp.defenderdemo.local. Follow the steps below to start: 1. Double click (or right click and select Open) the Authentication Demo shortcut from the desktop. This will launch Internet Explorer, which has its home page set to http://myprotectedapp.defenderdemo.local for this demonstration. 2. As the web site is protected by Defender, the user is prompted to provide their username (Customer ID) and token response for authentication before the web site can be accessed. 3. Enter the username Demo in the Customer ID field. 4. Using the iphone Simulator on the QuestDrive desktop, click the button next to the number display to generate the next token response. If the iphone Simulator is not displayed on the desktop double click the icon on the desktop to run the application. Page 6
5. Enter this response in to the Token Response field on the web page. For example, in the screenshot below the token response 177337 is entered in the Token Response: field. 6. Select OK on the Login webpage. 7. Your Defender protected web site will be displayed. 8. Close the browser to end this session. Summary In this session, you successfully authenticated to a secure web site, using a Defender itoken. Page 7
Reset your password using a Defender token In this session, you will again take the role of an end-user, this time using your Defender token to validate your identity to allow you to reset a forgotton password using Quest Password Manager. You will be entering your Defender token response on the Quest Password Manager password reset page, as shown in the picture below, to validate your identity before resetting your password. Page 8
As the Demo user, you will be resetting your password using the Quest Password Manager reset tool at http://localhost:81/qpm/user/identification/, using a Defender itoken to first validate your identity. Follow the steps below to start: 1. Double click (or right click and select Open) the QPM Integration demo shortcut from the desktop. This will launch Internet Explorer, which has its home page set to http://localhost:81/qpm/user/identification/ for this demonstration. The Quest Password Manager user details page is displayed, which is used to identify the user and their domain. 2. Enter the user account name Demo in the Enter your first, last, partial, or logon name: field and select Search. The Quest Password Manager menu page will be displayed, showing the options available to our Demo user. Page 9
3. Select the first menu option Forgot My Password. 4. As Quest Password Manager has been configured to use Defender for authentication rather than prompting the user to answer secret questions, the Defender Enter Token Response: prompt is displayed. 5. Using the iphone Simulator on the QuestDrive desktop, click the button to display the next token response. Page 10
6. Return to the web page and enter this response in the Enter Token Response: field. In the example below, token response 332489 is entered. 7. Select Next. Having been successfully authenticated by Defender, you are now prompted to reset your password. 8. Enter Quest123 in the new and confirm new password fields. 9. Select Finish to complete the password reset. 10. Close the browser to end this session. 11. Right click on the iphone Simulator and select Exit to close the simulator. Page 11
Summary In this session, you used a Defender itoken to validate your identity, to allow you to reset your password using Quest Password Manager. Explore further As described earlier, a range of Defender tokens can be used for authentication. Further information on Defender tokens is included in the documentation set, which can be found in the Documentation folder on the QuestDrive desktop. Start with the following books: Defender Software Token User Guide Defender Hardware Token User Guide Page 12
Requesting a token using the web-based Defender Token Deployment System In this session, as an end-user, you will access the software token setup wizard using the Defender Token Deployment System. The Defender Token Deployment System is a web based portal that enables Defender hardware and software token users to request and register tokens without administrator intervention. Follow the steps below to start: 1. Double click (or right click and select Open) the Token Deployment System demo shortcut from the desktop. This will launch Internet Explorer, which has its home page set to http://localhost:83 for this demonstration. 2. To log on to the Token Deployment System web interface as the Demo user, enter the following credentials and select OK: Username: Demo Password: Quest123 Page 13
The Defender Token Deployment System web interface is displayed: 3. Select Request a Software Token to start the Defender Software Token Setup wizard web page. Page 14
4. You will only see images for the token type(s) that you are allowed to request. This is defined by an administrator. To continue with the wizard the user would now click on the token image for the type of token that is required, for example, the Blackberry token. An email would then be sent to the user, however, for this QuestDrive demonstration no SMTP server is configured. Summary In this session, you accessed the Defender token setup wizard within the Token Deployment System web site. This would be used to self-register a software token to your account and provide the necessary information for you to install and activate the token software on your device. Explore further Further information on the Defender Token Deployment System can be found in the Documentation folder on the QuestDrive desktop. See: Defender Token Deployment System User Guide Page 15
a Defender administrator s experience Page 16
Explore Defender configuration in Active Directory In this session, you ll gain an administrator s insight into the Defender configuration stored in Active Directory Users and Computers. Below is simple illustration of the core components of Defender: Page 17
Follow the steps below to start: 1. Select the icon on the QuestDrive task bar to open Active Directory Users & Computers. Alternatively, go to Start, Administrative Tools and select Active Directory Users and Computers. 2. Select and expand the Defender OU in the Active Directory Users and Computers tree: The Defender OU contains the configuration settings for the Defender Access Nodes, Polices, Radius Payloads and Security Servers that form the core of the Defender system. An additional menu option is available from the menu bar for Defender when the Defender OU is selected, as indicated above. This is also used for some of the administration functions of Defender such as importing tokens. Page 18
3. To view Defender configuration for a specific user, select the Users OU, then double-click the Demo Account user to display the Demo Account Properties for this user. 4. Select the Defender tab to display the tokens assigned to the Demo user. This dialog can be used to perform various administrative tasks, such as assigning a token to the user, or testing the user s token. Page 19
5. Select the Policy tab to display the policy rules associated with this user s token, and the RADIUS Payload tab to display Radius configuration used for VPN access for this user: 6. Close the Demo Account Properties dialog and Active Directory Users and Computers to end this session. Summary In this session you explored the Defender configuration held in Active Directory, and looked at the Defender properties for the Demo user. Page 20
Explore further To fully appreciate the integration of Defender with Active Directory, we recommend you read the documentation included within the Documentation folder on the QuestDrive desktop, starting with: Defender Quick Start Guide Defender Installation Guide Defender Configuration Guide The diagram below is an example of how Defender may be deployed, utilizing many of the additional components available such as the Defender Desktop Login and Token Deployment System. You can refer to the appropriate documents in the Documentation folder for further information. Further information can also be found online at: http://www.quest.com/quest_site_assets/pdf/questdefenderdatasheetfinal.pdf Page 21
Quickly assign the appropriate permissions to a Defender service account In this session, as an administrator, you will use Active Directory Users & Computers to run the Defender Delegate Control wizard to assign the required Active Directory permissions to an account that will be used as the Defender Security Server (DSS) service account. The DSS service account is configured on the DSS Configuration dialog and is used to read and write to / from Active Directory (AD). For the purposes of this demonstration the account used is named DSS_Service_Account. This account has already been created in AD and configured on the DSS configuration dialog as in the above screen shot Page 22
Follow the steps below to start: 1. Select the icon on the QuestDrive task bar to open Active Directory Users & Computers. Alternatively, go to Start, Administrative Tools and select Active Directory Users and Computers. 2. Select the Defender OU in the Active Directory Users and Computers tree which will then display the Defender menu bar item: 3. Select Defender from the main menu and choose Delegate Control to display the Defender Delegated Administration Wizard: Page 23
4. Select Add and use the AD Select Users or Groups dialog to add DSS_Service_Account as above. Select Next to continue. 5. Scroll down to the Service Accounts section and enable Defender Security Server as above. Select Next to continue. 6. Select Add and use the dialog displayed to select the defenderdemo.local Users OU as above. Select Next to continue. Page 24
7. The Defender Object Locations dialog will be automatically completed as above. Select Next to continue. 8. Select Finish completing the wizard. Page 25
Summary In this session you used the Defender Delegate Control wizard to assign the required AD permissions to an account that is used as the DSS service account. Explore further Further information on Defender delegated administration is included in the documentation set, which can be found in the Documentation folder on the QuestDrive desktop. See: Defender Delegated Administration User Guide Page 26
Test Defender Server connectivity with AD In this session, you ll take the role of an administrator testing connectivity between the Defender Security Server (DSS) and Active Directory. The DSS is responsible for managing Defender authentications, and is a core component of Defender. Follow the steps below to start: 1. Select the shortcut on the taskbar to access the DSS Configuration dialog. Alternatively, go to Start, All Programs, Defender Active Directory Edition and select Defender Security Server Configuration. The Defender Security Server Configuration dialog is displayed - the Active Directory LDAP tab shows the address of the domain the DSS is using for Active Directory communications, together with the service account and account password. Page 27
2. To test connectivity between the DSS and Active Directory, select the Test Connection tab: 3. Select the Test button to display the results of authenticating and connecting to the server specified on the Active Directory LDAP tab. 4. Close the dialog to end the session. Summary In this session you tested connectivity between the Defender Security Server (DSS) and Active Directory. Page 28
Using Defender Reports In this session, you ll use the web-based Defender reporting tool http://localhost:82/ as the Administrator user to view today s Defender authentication activity. Follow the steps below to start: 1. To access the Defender Reports console select the shortcut from the desktop or open Internet Explorer and browse to http://localhost:82/ 2. Enter your administrator user credentials: Username: Administrator Password: Quest123 Page 29
3. The Defender Reports Console is displayed: 4. Select Audit Trail to display the Audit Trail selection criteria window: Page 30
5. Accepting all default values, select the Generate button at the bottom of the page to display a report displaying all Defender log messages for today. 6. Select the Home button in the top left corner, else select one of the options in the left pane to gain a flavour of the other Defender reports available, eg users who have failed authentication, user activity and token information. 7. Close the browser to end this session. Summary In this session, you used the Defender Reports tool to display the Defender audit log for today, and explored other available Defender reports. Page 31
Using PowerShell Management for Defender In this session, you ll use PowerShell Management for Defender to view the list of cmdlets available and use one of the cmdlets to list the tokens assigned to a user. PowerShell Management for Defender is implemented as a Windows PowerShell snap-in, providing an extension to the Windows PowerShell environment. Follow the steps below to start: 1. To access PowerShell Management for Defender select the shortcut from the desktop. 2. To view a list of the Defender cmdlets that are available enter the command: Get-Command Quest.Defender.AdminTools\* 3. To list the tokens that are assigned to the User1 user account enter the command Get-TokensforUser user1 Page 32
Summary In this session, you used PowerShell Management for Defender to list the Defender cmdlets that are available and used the Get-TokensforUser cmdlet to display a list of the tokens that are assigned to a user. Explore further Further information on PowerShell Management for Defender is included in the documentation set, which can be found in the Documentation folder on the QuestDrive desktop. See: PowerShell Management for Defender Page 33
Using Quest ActiveRoles Server to modify a Defender Token Policy In this session, you ll use the Quest ActiveRoles Server console to modify a Defender Token Policy. Follow the steps below to start: 1. Select the icon on the QuestDrive task bar to open the Quest ActiveRoles Server console. Alternatively, go to Start, All Programs, Quest Software, ActiveRoles Server and select ActiveRoles Server Console. Page 34
2. If the Policies OU is not selected in the left hand window navigate to Active Directory, defenderdemo.local, Defender and then select Policies. A list of configured Defender policies is displayed. 3. Select Token Only, right click and select Properties. 4. Select the Account tab. Modify the setting by selecting Enable Account Lockout and changing the Lockout After setting to 5. Page 35
5. Select Apply to save the changes. Summary In this session, you used the Quest ActiveRoles Server console to modify a Defender Token Policy. Defender administration using the Quest ActiveRoles Server console is supported in version 5.6.0.2593 and later. Page 36
Defender Token Deployment System administration In this session we will explore the configuration pages for the Defender Token Deployment System (TDS). The Defender Token Deployment System is a web based portal that enables Defender hardware and software token users to request and register tokens without administrator intervention. Follow the steps below to start: 1. Double click (or right click and select Open) the Token Deployment System demo shortcut from the desktop. This will launch Internet Explorer, which has its home page set to http://localhost:83 for this demonstration. 2. To log on to the Token Deployment System web interface as the Demo user, enter the following credentials and select OK: Username: Administrator Password: Quest123 Page 37
The Defender TDS web interface is displayed: 3. Select Administer Token Deployment System. 4. The Common Settings web page is used to configure the service account which will be used to communicate with AD. Page 38
This web page is also used to enforce the use of PINs and set their minimum and maximum lengths. 5. The E-mail Settings page contains the SMTP server details. When requesting software tokens the setup process requires the sending of an email to the user requesting a new token. If an SMTP server has not been configured software token requests will not function. Page 39
6. The Hardware Tokens page displays the URLs to access the relevant hardware token self-registration web sites and provides an option for a default token type. Page 40
7. The Software Tokens page is used to configure the AD groups that will contain the user accounts who are authorized to request their own software tokens. In the above example the AD groups specified must exist in AD and the members of these groups will be authorized to request / self-register their own software tokens. Page 41
Summary In this session, you were given an introduction to the administration web pages for the Defender Token Deployment System. Explore further Further information on the Defender Token Deployment System can be found in the Documentation folder on the QuestDrive desktop. Start with the following books: Defender Token Deployment System Quick Start Guide Defender Token Deployment System Installation and Configuration Guide Defender Token Deployment System User Guide Page 42
a basic Helpdesk user s experience Page 43
Assigning a temporary token response to a user In this session, you will take the role of a basic Helpdesk user, and experience setting a temporary token response for a user. A typical scenario for assigning a temporary response could be that a member of the Sales team has called from his hotel room the night before he is to do an important demonstration and he has forgotten or lost his Defender Go-6 token. By setting a temporary token response for this user the Helpdesk can allow temporary access. Normally a Helpdesk user would be given restricted rights over Active Directory, and only allowed to perform certain functions. For the purpose of this demonstration, you have the administrator rights that were assigned when you first logged into QuestDrive. Page 44
How to assign a temporary token response As a basic Helpdesk user, you will be assigning a temporary token response to the Go-6 token for a user, User1, using Active Directory Users & Computers. Follow the steps below to start: 1. Select the icon on the QuestDrive task bar to open Active Directory Users & Computers. Alternatively, go to Start, Administrative Tools and select Active Directory Users and Computers. 2. In the Users OU, open the Properties dialog for User1 by double clicking on User1. Normally a Helpdesk user s view would be restricted according to their rights and privileges. Page 45
3. Select the Defender tab to view the tokens assigned to User1, and then select the GO-6 token as in the screenshot below. 4. Select the Helpdesk button to display the Defender Helpdesk dialog. This dialog is used to assign a temporary token response for the selected token. 5. Expand the Expires drop down list and select 2 days. 6. Select Allow response to be used multiple times. Page 46
7. Select Assign to generate the temporary response this is displayed in the Response field. This number can then be sent to the end user and can be used to authenticate for the next 2 days. 8. Select Close to finish. 9. Close the Defender Properties dialog and Active Directory Users and Computers to end the session. Summary In this session, you assigned a temporary token response to the Defender Go-6 token assigned to User1, using Active Directory Users & Computers. Explore further Further information on token administration is included in the documentation set, which can be found in the Documentation folder on the QuestDrive desktop. Start with the following book: Defender Token Administration Guide Page 47
a Helpdesk administrator s experience Page 48
Setting up a Defender token for a user In this session, you will take the role of a Helpdesk administrator using the Quest ActiveRoles Server web interface, and experience setting up a Windows Desktop token for a user. For the purpose of this QuestDrive demonstration, we are using the Quest ActiveRoles Server to provide an easy-to-use web interface view of the tasks that the Helpdesk administrator can perform. The picture below shows the Defender Properties for our Demo user account within the Quest ActiveRoles Server Web Interface. This is an example of one of pages available for Defender administration. Page 49
How to set up a Defender token for a user As a Helpdesk administrator, Helpdesk1, you will be setting up a Defender token for a user, User1, using the Quest ActiveRoles Server helpdesk web page http://localhost:81/arserverhelpdesk/. Follow the steps below to start: 1. Double click (or right click and select Open) the ARS Integration Demo shortcut from the desktop. This will launch Internet Explorer, which has its home page set to http://localhost:81/arserverhelpdesk/ for this demonstration. 2. To log on to the Quest ActiveRoles Server web interface as a Helpdesk administrator, enter the following credentials and select OK: Username: defenderdemo\helpdesk1 Password: Quest123 Page 50
The ActiveRoles Server menu page is displayed. 3. Next use the Quick Search facility to locate the user, User1. In the Quick Search box in the top left-hand corner of the page, enter User1 and press return or select the search icon. 4. Select User1 from the returned search results to display the General Properties dialog for the user. Page 51
5. Select Menu from to display the Defender menu options as in the above screen shot. 6. Select Program Defender Token from the left hand menu to display the Program Defender Token page. Page 52
7. This page shows that Windows Desktop, Blackberry, itoken, GrIDsure, Android and Email OTP tokens are available. Keep the default selection of Windows and then select Program. Page 53
The page above is displayed to show that a Defender Windows Desktop Token has now been programmed and assigned to User1. You would now normally send the token activation code (shown above) to the user, so that the user can activate their Defender token. 8. Close the browser to end the session. Summary In this session, you set up a Defender token for a user, using the Quest ActiveRoles Server web interface. Explore further Further information on using the Quest ActiveRoles Server Web Interface for Defender administration can be found in Defender Integration with ARS.pdf, which is stored in the Documentation folder on the QuestDrive desktop. Page 54
Next steps Now that you have experienced Defender first hand, you may want to try installing and configuring the product yourself. You can request a free Defender Starter Pack from here. Alternatively, contact your local Quest Sales representative for further information on Defender and the Quest One Identity Solution. Page 55