Defender Configuring for Use with GrIDsure Tokens Introduction The GrIDsure token can be used to protect any website hosted on Internet Information Server (IIS). This guide provides information for the administrator on how to configure Defender and IIS, using the Defender ISAPI Agent, for use with the GrIDsure token. The instructions in this guide assume that a working Defender system is in place with the required Defender components installed and configured, refer to System Requirements. For further information on Defender installation and configuration, refer to the Defender Installation Guide and the Defender Configuration Guide. System Requirements Before configuring Defender to use GrIDsure tokens, ensure that the following components are installed and configured in your Defender system: Defender Administration Console version 5.5.0.xxx or higher Defender Security Server version 5.5.0.xxx or higher Defender ISAPI Agent version 5.5.0.xxx or higher. Configuring Defender for use with GrIDsure Tokens 1
Installing the GrIDsure Token License To enable GrIDsure tokens within Defender, you must first install a GrIDsure Token License. 1. To do this, from Active Directory Users & Computers select the Install Desktop Token License option from the Defender menu. the Defender menu is available when the Defender OU is selected. 2. The Defender License Import Wizard starts. 3. Click Next to display the Defender Import Wizard (License Files) dialog. 4. Click Add File to add your license file to the Licenses to install list. 5. Click on the required file, then click Open. The selected file is added to the Licenses to install list. 6. Click Next twice to complete the procedure. How to Program a GrIDsure Token GrIDsure tokens can be programmed: for a user by the Defender Administrator, or created and registered by the users themselves through Auto-Enrollment. Programming a GrIDsure Token via the Administration Console 1. In Active Directory Users and Computers (ADUC), display the user properties page for the required user, then select the Defender tab. 2. Click Program to start the Defender Token Programming Wizard. Configuring Defender for use with GrIDsure Tokens 2
3. Click Next. The Token Types dialog is displayed: 4. Select Defender Desktop Token, then click Next. The Defender Desktop Token Types dialog is displayed: 5. Select GrIDsure, then click Next. Configuring Defender for use with GrIDsure Tokens 3
Note: A user can have only one GrIDsure token assigned to them at any one time. If the user already has a GrIDsure token, the following dialog is displayed: You can choose to overwrite the user s existing GrIDsure token or to leave the existing token. If you choose to overwrite the existing token, the user must register the new token before it can be used to authenticate. 6. The Checking User License dialog is displayed: Configuring Defender for use with GrIDsure Tokens 4
7. Click Next. The Defender Token Programming Complete dialog is displayed: 8. Click Finish. The GrIDsure token is displayed in the Token Management field on the username Properties, Defender tab. 9. If GrIDsure authentication is enabled in the token policy assigned to this user (refer to Creating/Editing a Policy for GrIDsure Tokens), the user will be required to configure his PIP the first time the token is used for authentication through a GrIDsure aware client, i.e. the ISAPI Agent. Configuring Defender for use with GrIDsure Tokens 5
Creating/Editing a Policy for GrIDsure Tokens You now need to configure a Defender Policy to use GrIDsure tokens. You can either modify an existing policy or create a new policy. For information on how to create a new policy, please refer to the Defender Configuration Guide. To configure the policy for use with GrIDsure tokens where the tokens will be programmed by the Defender Administrator, perform the following steps: 1. Select the Defender OU from the Active Directory tree. 2. Select Policies. 3. Right-click on the required policy. 4. Select Properties from the menu. 5. The policyname -Properties Policy dialog box is displayed: 6. On the Policy tab, in the Authentication methods, Use field, select Token. Configuring Defender for use with GrIDsure Tokens 6
7. Select the GrIDsure tab: 8. Select Enable GrIDsure Tokens and set the pattern length as required. 9. Select OK. The policy is now configured for GrIDsure tokens. 10. Assign the policy to the relevant access node, Defender Security Server, user or user group as required. For information on how to assign a security policy, please refer to the Defender Configuration Guide. Configuring Defender for use with GrIDsure Tokens 7
GrIDsure Token Auto-Enrollment Mode To enable Auto-Enrollment, set the Authentication Method, Use field to Token (GrIDsure Auto-Enrollment Mode). The first time that the user attempts to authenticate using a GrIDsure enabled policy, the GrIDsure token will be created and configured. Enabling User Auto-Enrollment for GrIDsure Tokens To configure the policy that will enable GrIDsure tokens to be created and configured when the user first attempts to authenticate, perform the following steps: 1. Select the Defender OU from the Active Directory tree. 2. Select Policies. 3. Right-click on the required policy. 4. Select Properties from the menu.the policyname -Properties Policy dialog box is displayed: 5. On the Policy tab, in the Authentication methods, Use field, select Token (GrIDsure Auto-Enrollment Mode). Configuring Defender for use with GrIDsure Tokens 8
6. Select the GrIDsure tab: 7. Check the Enable GrIDsure Tokens checkbox, then click OK to finish. For information on how to authenticate in GrIDsure Auto-Enrollment Mode, refer to Accessing the Protected Website. Configuring Defender for use with GrIDsure Tokens 9
Additional Configuration Options During configuration, the following options can be set on the GrIDsure tab if required: Block consecutive patterns (horizontal, vertical and diagonal) Check this box to enforce additional complexity rules for the PIP. Use this option to prevent the use of horizontal, vertical and diagonal patterns. Enable Pattern Expiry Check this box to force the user to provide a new pattern (PIP) after a set number of days. This option is similar to setting a password expiry limit for AD passwords. Use letters in grid instead of numbers The default configuration is to use numbers within the grid. Alternatively, you can specify that the grid should display letters, as shown in the following example: Configuring Defender for use with GrIDsure Tokens 10
Grid Style Displays the GrIDsure Style dialog enabling you to change the size and style of the grid as required. Configuring Defender for use with GrIDsure Tokens 11
Installing the Defender ISAPI Agent The Defender ISAPI Agent can be used as an ISAPI filter to provide Defender authentication for the website. To install the Defender ISAPI Agent on the server hosting IIS, perform the following steps: 1. Run the installation file Defender ISAPI Agent x64 Installer.exe (for x64 platforms), or Defender ISAPI Agent Installer.exe (for x86 platforms). 2. Select Next. 3. Accept the License Agreement. Configuring Defender for use with GrIDsure Tokens 12
4. Select Next. 5. Select Next to accept the default installation location, alternatively select Browse to choose a different location. 6. Select Next. Configuring Defender for use with GrIDsure Tokens 13
7. The Defender ISAPI Agent installation starts and the Installation Progress dialog is displayed: 8. On completion of the installation, the Installation Complete dialog is displayed: 9. Select Finish. Configuring Defender for use with GrIDsure Tokens 14
Configuring the ISAPI Agent On completion of the ISAPI Agent installation, select Configure Defender ISAPI Agent Now. The Defender ISAPI Agent Configuration dialog is displayed: To configure the ISAPI Agent: 1. On the DSS Parameters tab, select Add. 2. Enter the name of the Defender Security Server where user authentication will be performed 3. Enter the IP address of the Defender Security Server. 4. Enter the port number and shared secret configured on the access node that this connection will use. 5. Select the Protected Sites tab. 6. Select the site that you want to protect with Defender, then click OK to save the selection. Configuring Defender for use with GrIDsure Tokens 15
Accessing the Protected Website This section describes how to access the protected website using Defender authentication and a GrIDsure token. 1. From Internet Explorer, access the protected website. The Login page is displayed: 2. Enter your username and then click Login. 3. If you are using the GrIDsure Auto-Enrollment Mode and have no other token types assigned you will be prompted for your Active Directory Windows password to start the registration process for your GrIDsure token. 4. Enter your Windows password, then click Login. Configuring Defender for use with GrIDsure Tokens 16
Note: if you have more than one token type assigned, you can choose which token to use for authentication. In the example, the user can enter either the synchronous response from a Go-x token, or if the user has a registered GrIDsure token, or the administrator has programmed a GrIDsure token, the user can click Use GrIDsure to authenticate with a GrIDsure token. On first use, you are required to configure your GrIDsure pattern or PIP. The GrIDsure grid (as defined on the Defender security policy) is displayed. Configuring Defender for use with GrIDsure Tokens 17
5. Select a pattern using the letters within the grid and then enter these letters, without spaces, in the Configure your GrIDsure PIP: box. For example, the policy configured in Creating/Editing a Policy for GrIDsure Tokens, requires a pattern of between 4 and 8. Therefore a pattern, or PIP, such as AJBBBGAN would create a pattern using the top left square and then the first 3 squares from row 2. Configuring Defender for use with GrIDsure Tokens 18
If the PIP does not meet the complexity rules configured on the policy, the following dialog is displayed: Enter a PIP that meets the complexity requirements. Configuring Defender for use with GrIDsure Tokens 19
6. Select Login to save the PIP. 7. You are then prompted to authenticate using the PIP that was created for your token. 8. Enter the PIP in the Use your GrIDsure PIP: box and select Login, e.g. 3305 9. You will now be authenticated and allowed access to the protected website. 10. A GrIDsure token is now created for you. This can be viewed in the username Properties Defender tab in Active Directory Users and Computers. The next time you access the website, you will be prompted for your user name only and the PIP corresponding to your pattern. Quest, Quest Software, the Quest Software logo and Defender are trademarks and registered trademarks of Quest Software, Inc. in the United States of America and other countries. Gridsure is a trademark of Gridsure Limited. All other trademarks are property of their respective owners. Configuring Defender for use with GrIDsure Tokens 20