Defender 5.7. Deploying Defender Desktop Login using Microsoft Group Policy

Similar documents
Defender Delegated Administration. User Guide

Defender 5.7. Remote Access User Guide

Quest Privilege Manager Console Installation and Configuration Guide

Quick Connect Express for Active Directory

formerly Help Desk Authority Quest Free Network Tools User Manual

Quest ChangeAuditor 4.8

4.0. Offline Folder Wizard. User Guide

Quest ChangeAuditor 5.1 FOR ACTIVE DIRECTORY. User Guide

formerly Help Desk Authority HDAccess Administrator Guide

FOR WINDOWS FILE SERVERS

Webthority 6.6. Best Practice Guide

Quest Management Agent for Forefront Identity Manager

Dell One Identity Cloud Access Manager How to Configure vworkspace Integration

8.7. Target Exchange 2010 Environment Preparation

ChangeAuditor 5.6. For Windows File Servers Event Reference Guide

6.7. Replication: Best Practices and Troubleshooting

Quest vworkspace Virtual Desktop Extensions for Linux

6.7. Quick Start Guide

formerly Help Desk Authority Upgrade Guide

Enterprise Single Sign-On Installation and Configuration Guide

ActiveRoles 6.9. Replication: Best Practices and Troubleshooting

Enterprise Single Sign-On 8.0.3

Dell Spotlight on Active Directory Server Health Wizard Configuration Guide

ChangeAuditor 6.0 For Windows File Servers. Event Reference Guide

Foglight for Oracle. Managing Oracle Database Systems Getting Started Guide

8.7. Resource Kit User Guide

ActiveRoles 6.8. Web Interface User Guide

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Foglight. Foglight for Virtualization, Enterprise Edition 7.2. Virtual Appliance Installation and Setup Guide

Dell Statistica Document Management System (SDMS) Installation Instructions

Web Portal Installation Guide 5.0

ChangeAuditor 6.0. Web Client User Guide

Dell One Identity Cloud Access Manager How To Deploy Cloud Access Manager in a Virtual Private Cloud

Using Self Certified SSL Certificates. Paul Fisher. Quest Software. Systems Consultant. Desktop Virtualisation Group

formerly Help Desk Authority HDAccess User Manual

Quest SQL Optimizer 6.5. for SQL Server. Installation Guide

Dell Statistica Statistica Enterprise Installation Instructions

Dell InTrust Preparing for Auditing Cisco PIX Firewall

2007 Quest Software, Inc. ALL RIGHTS RESERVED. TRADEMARKS. Disclaimer

8.10. Required Ports

Foglight Managing SQL Server Database Systems Getting Started Guide. for SQL Server

Dell One Identity Cloud Access Manager Installation Guide

Dell One Identity Cloud Access Manager How to Configure for High Availability

Introduction to Version Control in

Foglight. Foglight for Virtualization, Free Edition Installation and Configuration Guide

2.0. Quick Start Guide

Foglight Managing SQL Server Database Systems Getting Started Guide. for SQL Server

Object Level Authentication

Spotlight Management Pack for SCOM

Desktop Authority vs. Group Policy Preferences

Quest Collaboration Services How it Works Guide

Foglight. Dashboard Support Guide

Dell InTrust Preparing for Auditing Microsoft SQL Server

Dell Recovery Manager for Active Directory 8.6. Quick Start Guide

ActiveRoles 6.9. Quick Start Guide

Dell Migration Manager for Enterprise Social What Can and Cannot Be Migrated

Dell InTrust Preparing for Auditing and Monitoring Microsoft IIS

Defender 5.7. Installation Guide

Spotlight Management Pack for SCOM

Dell One Identity Cloud Access Manager SonicWALL Integration Overview

Foglight. Managing Java EE Systems Supported Platforms and Servers Guide

DATA GOVERNANCE EDITION

Foglight. Managing Hyper-V Systems User and Reference Guide

Security Analytics Engine 1.0. Help Desk User Guide

Quest Collaboration Services 3.5. How it Works Guide

Foglight Cartridge for Active Directory Installation Guide

Dell Statistica. Statistica Document Management System (SDMS) Requirements

ActiveRoles 6.8. Web Interface Administrator Guide

2010 Quest Software, Inc. ALL RIGHTS RESERVED. Trademarks. Third Party Contributions

Dell Enterprise Reporter 2.5. Configuration Manager User Guide

Enterprise Reporter Report Library

Active Directory Change Notifier Quick Start Guide

Quest InTrust for Active Directory. Product Overview Version 2.5

Foglight Experience Monitor and Foglight Experience Viewer

Spotlight on Messaging. Evaluator s Guide

Troubleshooting Guide 5.1. Quest Workspace ChangeBASE

FOR SHAREPOINT. Quick Start Guide

10.2. Auditing Cisco PIX Firewall with Quest InTrust

New Features and Enhancements

Dell InTrust Preparing for Auditing CheckPoint Firewall

Built-in Plug-ins User s Guide

8.3. Competitive Comparison vs. Microsoft ADMT 3.1

System Requirements and Platform Support Guide

How to Deploy Models using Statistica SVB Nodes

Top 10 Most Popular Reports in Enterprise Reporter

Foglight Managing Microsoft Active Directory Installation Guide

Security Explorer 9.5. User Guide

10.6. Auditing and Monitoring Quest ActiveRoles Server

Dell Unified Communications Command Suite - Diagnostics 8.0. Data Recorder User Guide

Quest One Privileged Account Management. Reviewer Manual. Version 2.4

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

Dell InTrust 11.0 Best Practices Report Pack

Dell Spotlight on Active Directory Deployment Guide

NetVault LiteSpeed for SQL Server version Integration with TSM

Dell NetVault Backup Plug-in for SharePoint 1.3. User s Guide

An Introduction to Toad Extension for Visual Studio. Written By Thomas Klughardt Systems Consultant Quest Software, Inc.

Transcription:

Defender 5.7 Deploying Defender Desktop Login using Microsoft Group Policy

2014 Dell Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com email: legal@quest.com Refer to our Web site for regional and international office information. TRADEMARKS Quest, Quest Software, the Quest Software logo, and Defender are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. For a complete list of Quest Software's trademarks, please see http://www.quest.com/legal/trademark-information.aspx. Other trademarks and registered trademarks are property of their respective owners. Disclaimer The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. Deploying Defender Desktop Login Using Group Policy Updated - March 2014 Software Version - 5.7 2

ABOUT.......................................... 4 QUEST ONE IDENTITY SOLUTION...................... 5 BENEFITS OF DEFENDER........................... 6 AUDIENCE AND SCOPE............................ 6 CONVENTIONS................................. 7 ABOUT QUEST SOFTWARE.......................... 8 CONTACTING QUEST SOFTWARE...................... 8 CONTACTING CUSTOMER SUPPORT.................. 9 CHAPTER 1 INTRODUCTION................................... 10 DEPLOYING DEFENDER DESKTOP LOGIN USING MICROSOFT GROUP POLICY.........................11 DEFENDER DESKTOP LOGIN MSI PROPERTIES..............12 DSS...................................13 SHARED_SECRET..........................14 EXCLUSION_MODE.........................14 EXCLUSION_GROUPS.......................16 ALLOW_OFFLINE_LOGON.....................17 OFFLINE_LOGON_DAYS......................18 OFFLINE_LOGON_COUNT.....................19 DISPLAY_NOTIFICATIONS....................20 STORE_PASSWORDS........................21 MANAGE_PASSWORDS......................22 WAIT_FOR_NETWORK.......................23 BLOCK_CREDENTIAL_PROVIDERS..............24 3

About Quest One Identity Solution Benefits of Defender Audience and Scope Conventions About Quest Software Contacting Quest Software

About Quest Identity One Solution Defender is a component of the Quest One Identity Solution, a set of enabling technologies, products, and integration that empowers organizations to simplify identity and access management by: Reducing the number of identities Automating identity administration Ensuring the security of identities Leveraging existing investments, including Microsoft Active Directory Quest One improves efficiency, enhances security and helps organizations achieve and maintain compliance by addressing identity and access management challenges as they relate to: Single sign-on Directory consolidation Provisioning Password management Strong authentication Privileged account management Audit and compliance. Defender includes the facility for Vendor Specific Attributes (VSAs) to be specified in the RADIUS Payload. For further information on VSAs, refer to the RADIUS RFC at www.ietf.org/rfc 5

About Benefits of Defender Some of the benefits that Defender brings to your organization are: seamless integration with Microsoft AD, using AD administration tools and techniques centralized administration for all Defender users simple migration from earlier versions of Defender with no change to end-user experience automated replication and backup for Defender data multiple points of authentication for load balancing and redundancy the ability for users to register their own hardware and software tokens using the Token Deployment System Defender Desktop Login for Windows extensive reporting facilities integration with other Quest products including Webthority, Quest Password Manager, ActiveRoles Server, Change Auditor and Quest Authentication Services. Audience and Scope This document describes: how to deploy the Defender Desktop Login software using Microsoft Group Policy the available configuration properties within the MSI package. This book does not provide tutorial information on the use of the Windows operating system or on network communication concepts. Users must have experience in using the specified operating system and an understanding of networking concepts. 6

About Conventions In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes, and cross-references. ELEMENT Select Bolded text courier text Italic text Bold Italic text Blue text CONVENTION This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons. Used to highlight installation questions and responses. File, daemon, utility, option, attribute names. Used for comments. Used for emphasis. Indicates a cross-reference. When viewed in Adobe Acrobat, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care. + A plus sign between two keystrokes means that you must press them at the same time. A pipe symbol (vertical bar) between elements means that you must select the elements in that particular sequence. \ The back slash, immediately followed by a new line, indicates a Unix command line continuation. <version>.<build number> References to the product version you are installing are displayed with <version>.<build number> in angle brackets. 7

About About Quest Software Established in 1987, Quest Software (Nasdaq: QSFT) provides simple and innovative IT management solutions that enable more than 100,000 global customers to save time and money across physical and virtual environments. Quest products solve complex IT challenges ranging from database management, data protection, identity and access management, monitoring, user workspace management to Windows management. For more information, visit www.quest.com. Contacting Quest Software Phone Email Mail 949.754.8000 (United States and Canada) info@quest.com Quest Software World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 Web site www.quest.com Please refer to our Web site for regional and international office information. 8

About Contacting Customer Support Quest Software's world-class support team is dedicated to ensuring successful product installation and use for all Quest Software solutions. SupportLink www.quest.com/support Email at support@quest.com You can use SupportLink to do the following: Create, update, or view support requests Search the knowledge base Access FAQs Download patches 9

Introduction Deploying Defender Desktop Login using Microsoft Group Policy Defender Desktop Login MSI Properties DSS SHARED_SECRET EXCLUSION_MODE EXCLUSION_GROUPS ALLOW_OFFLINE_LOGON OFFLINE_LOGON_DAYS OFFLINE_LOGON_COUNT DISPLAY_NOTIFICATIONS STORE_PASSWORDS MANAGE_PASSWORDS WAIT_FOR_NETWORK BLOCK_CREDENTIAL_PROVIDERS 10

Deploying Defender Desktop Login using Microsoft Group Policy There are three separate steps to create the Defender Desktop Login package for deployment within your Microsoft Active Directory domain. Create a Defender Desktop Login MSI Package 1. Open the MSI Defender Desktop Login software package in your MSI editing package. 2. Customize and save the existing MSI package or create a MST transform file with the MSI Properties listed below. Create a Network Share and Set the File Permissions 1. Create a directory and copy the customized Defender Desktop Login software to it. 2. Set the appropriate Sharing and Security... permissions on this directory and ensure that the allow inheritance security settings propagate through the files below it. Create a Group Policy Package for Deployment 1. Navigate to Group Policy on your Windows Server. 2. Edit the existing Default Domain Policy or create new policy. 3. Expand Computer Configuration then Software Settings. 4. Right click Software installation and select New, then Package. 5. Navigate to your network share detailed in the above step and select the customized MSI file. 6. When the Deploy Software box is displayed, select Advanced. 11

7. Select the Modifications tab, then Add to add your MST transform file (if applicable). 8. Optionally, modify the other options as required, then select OK. This will deploy the Defender Desktop Login package to all computers within the selected Domain Group Policy. Optionally, you can configure Microsoft Group Policy to apply the package to selected OU s rather than all computers by creating a new policy. Defender Desktop Login MSI Properties The MSI installation configuration options on the following pages can be added on the command line or specified as a property in the MSI installation routine. These properties can be edited or have an MSI transform file associated using an MSI editor of your choice. These settings should be specified as shown below in bold. 12

DSS This setting specifies a list of Defender Security Server(s) and port(s) for the Defender Desktop Login software to authenticate against. Each IP address or DNS name must have a port which is specified using a colon. For multiple entries, use a semi colon as shown below (without a space). Example Single: DSS=IP_Address:port DSS=10.0.0.1:1812 Multiple: DSS=DNS_Name1:port;DNS_Name2:port DSS=DefenderDC1:1812;DefenderDC2:1812 13

SHARED_SECRET This setting specifies the shared secret which is used to securely communicate and authenticate against the Defender Security Server. Example: SHARED_SECRET=Quest_Software EXCLUSION_MODE This setting determines how the Defender Desktop Login software authenticates users. 0 - Everyone is Defender authenticated 1 - Users in EXCLUSION_GROUPS are not Defender authenticated 2 - Users in EXCLUSION_GROUPS are Defender authenticated Example: EXCLUSION_MODE=0 14

If you choose 1 or 2 you must ensure that the groups are specified in the EXCLUSION_GROUPS property shown on the Defender Desktop Login Configuration, Exclusions tab: 15

EXCLUSION_GROUPS This setting determines which groups the Defender Desktop Login software will exclude for user authentications. If a user belongs to this group, they will/will not be Defender two-factor authenticated (depending on the setting in EXCLUSION_MODE). In the example, local Administrators and DEFENDERQC\Domain Admins are excluded from Defender two-factor authentication. If you wish to specify multiple groups, you must separate each group with a semi colon (without a space). Example: EXCLUSION_GROUPS=Administrators;DEFENDER\Domain Admin 16

ALLOW_OFFLINE_LOGON This setting configures the Defender Desktop Login software to allow users to authenticate offline. 0 - Offline logons are disabled 1 - Offline logins are valid for number of days 2 - Offline logins are valid for a set number of successful logins If you choose 1 or 2 you must ensure that the OFFLINE_LOGON_DAYS or OFFLINE_LOGON_COUNT properties are specified. Example: ALLOW_OFFLINE_LOGON=2 17

OFFLINE_LOGON_DAYS This setting specifies the number of days the user can authenticate offline before they need to perform an online logon. Example: OFFLINE_LOGON_DAYS=12 This setting requires the ALLOW_OFFLINE_LOGON property to be set to 1 18

OFFLINE_LOGON_COUNT This setting specifies the number of times the user can successfully authenticate offline before they need to perform an online logon. Example: OFFLINE_LOGON_COUNT=45 This setting requires the ALLOW_OFFLINE_LOGON property to be set to 2 19

DISPLAY_NOTIFICATIONS This setting alerts users when an offline logon occurs and displays information about the number of offline logons/days remaining. 0 = No 1 = Yes Example: DISPLAY_NOTIFICATIONS=1 20

STORE_PASSWORDS This setting stores the user's current password so they are not prompted to re-enter it during each two-factor login. 0 = No 1 = Yes Example: STORE_PASSWORDS=1 21

MANAGE_PASSWORDS This setting allows Defender Desktop Login to change a user's password when prompted or when expired. The options are: 0 = No 1 = Yes Example: MANAGE_PASSWORDS=1 22

WAIT_FOR_NETWORK This setting will make the Defender Desktop Login software wait for the network to become available during startup. The time period is specified in seconds. The default value is 60 seconds. Example: WAIT_FOR_NETWORK=60 23

BLOCK_CREDENTIAL_PROVIDERS This setting allows the Defender Desktop Login to block other credential providers. If not specified, the default value is 0. 0 - Block all except Defender 1 - Block Microsoft 2 - Allow all Example: BLOCK_CREDENTIAL_PROVIDERS=0 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information