SELF SERVICE RESET PASSWORD MANAGEMENT ARCHITECTURE GUIDE



Similar documents
SELF SERVICE RESET PASSWORD MANAGEMENT ADMINISTRATOR'S GUIDE

SELF SERVICE RESET PASSWORD MANAGEMENT DATABASE REPLICATION GUIDE

SELF SERVICE RESET PASSWORD MANAGEMENT WEB INTERFACE GUIDE

HELP DOCUMENTATION SSRPM WEB INTERFACE GUIDE

SELF SERVICE RESET PASSWORD MANAGEMENT BACKUP GUIDE

SELF SERVICE RESET PASSWORD MANAGEMENT CREATING CUSTOM REPORTS GUIDE

SELF SERVICE RESET PASSWORD MANAGEMENT IMPLEMENTATION GUIDE

HELP DOCUMENTATION SSRPM CITRIX AND MICROSOFT TERMINAL SERVICES

SELF SERVICE RESET PASSWORD MANAGEMENT GPO DISTRIBUTION GUIDE

Release Notes Self Service Reset Password Management

HELP DOCUMENTATION E-SSOM BACKUP AND RESTORE GUIDE

PASSWORD COMPLEXITY MANAGER ADMINISTRATOR'S GUIDE

SELF SERVICE RESET PASSWORD MANAGEMENT CITRIX AND MICROSOFT TERMINAL SERVICES

Fixed issue that could hang a domain controller. It can occur when the filter has difficulty resolving a user's SID and the first 2 methods fail.

HELP DOCUMENTATION E-SSOM DEPLOYMENT GUIDE

HELP DOCUMENTATION E-SSOM CONFIGURATION GUIDE

HELP DOCUMENTATION E-SSOM INSTALLATION GUIDE

NETWRIX PASSWORD MANAGER

User Management Resource Administrator. Managing LDAP directory services with UMRA

HELP DOCUMENTATION E-SSOM BACKUP AND RESTORE GUIDE

Use the below instructions to configure your wireless settings to connect to the secure wireless network using Microsoft Windows Vista/7.

Enterprise SSO Manager (E-SSO-M)

Use Enterprise SSO as the Credential Server for Protected Sites

Check Point FDE integration with Digipass Key devices

SafeGuard Easy upgrade guide. Product version: 7

NetIQ Advanced Authentication Framework. Maintenance Guide. Version 5.1.0

SafeGuard Enterprise upgrade guide. Product version: 7

MaaS360 Mobile Enterprise Gateway

NETWRIX IDENTITY MANAGEMENT SUITE

SELF SERVICE RESET PASSWORD MANAGEMENT SURVEY REPORT

Security and Rights Delegations for the Password Reset PRO Master Service Applies to software versions 2.x.x and 3.x.x

SafeGuard Enterprise upgrade guide. Product version: 6.1

How To Set Up Chime For A Coworker On Windows (Windows) With A Windows 7 (Windows 7) On A Windows 8.1 (Windows 8) With An Ipad (Windows).Net (Windows Xp

MBAM Self-Help Portals

Salesforce1 Mobile Security Guide

MaaS360 Mobile Enterprise Gateway

etoken TMS (Token Management System) Frequently Asked Questions

SafeGuard Enterprise Web Helpdesk. Product version: 6 Document date: February 2012

Windows Server 2008/2012 Server Hardening

Security whitepaper. CloudAnywhere.

Note that if at any time during the setup process you are asked to login, click either Cancel or Work Offline depending upon the prompt.

DriveLock and Windows 7

Policy Based Encryption Z. Administrator Guide

Administrators Help Manual

Configuring a VPN between a Sidewinder G2 and a NetScreen

Security Configuration Guide P/N Rev A05

Sophos Mobile Control Technical guide

AD Self-Service Suite for Active Directory

DESlock+ Basic Setup Guide ENTERPRISE SERVER ESSENTIAL/STANDARD/PRO

Configuring Security Features of Session Recording

NETWRIX ACCOUNT LOCKOUT EXAMINER

SafeGuard Enterprise Web Helpdesk

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

Passcape Software. DPAPI flaw. Vulnerability of DPAPI data protection in Win2K, Win2K3, Windows Server 2008, and Windows Server 2012

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Perceptive Content Security

Mobile Device Management Version 8. Last updated:

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Installation Guide

Omniquad Exchange Archiving

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Oracle Enterprise Single Sign-on Logon Manager. Installation and Setup Guide Release E

How to Secure a Groove Manager Web Site

Using Entrust certificates with Microsoft Office and Windows

McAfee Endpoint Encryption for PC 7.0

NetIQ Advanced Authentication Framework - Smartphone Applications

SafeGuard Enterprise Web Helpdesk. Product version: 6.1

Chapter 1 Scenario 1: Acme Corporation

Technical Certificates Overview

Installation Notes for Outpost Network Security (ONS) version 3.2

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Policy Based Encryption E. Administrator Guide

Policy Based Encryption E. Administrator Guide

etoken Single Sign-On 3.0

Active Directory Self-Service FAQ

RSA Authentication Manager 7.1 Basic Exercises

Sophos SafeGuard Disk Encryption for Mac Startup guide

Acano solution. Security Considerations. August E

Proof of Concept Guide

Sophos Disk Encryption License migration guide. Product version: 5.61 Document date: June 2012

Citrix Password Manager Using the Account Self-Service Feature. Citrix Password Manager 4.6 with Service Pack 1 Citrix XenApp 5.0, Platinum Edition

Copyright

User Management Tool 1.5

Copyright 2013, 3CX Ltd.

Understanding the Cisco VPN Client

Configuring and Monitoring SiteMinder Policy Servers

Sync Security and Privacy Brief

McAfee Firewall Enterprise 8.2.1

ID Director for Windows

Configuring and Monitoring Citrix Access Gateway-Linux Servers. eg Enterprise v5.6

PANO MANAGER CONNECTOR FOR SCVMM& HYPER-V

Using IKEv2 on Juniper Networks Junos Pulse Secure Access Appliance

Ciphermail Gateway PDF Encryption Setup Guide

NetWrix Password Manager. Quick Start Guide

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

An Oracle White Paper Sep Buyer s Guide for Enterprise Single Sign On

New Security Features

Password Manager. Version Password Manager Quick Guide

HIPAA Security Matrix

Toolbox 3.3 Client-Server Configuration. Quick configuration guide. User manual. For the latest news. and the most up-todate.

DriveLock and Windows 8

Transcription:

SELF SERVICE RESET PASSWORD MANAGEMENT ARCHITECTURE GUIDE

Copyright 1998-2015 Tools4ever B.V. All rights reserved. No part of the contents of this user guide may be reproduced or transmitted in any form or by any means without the written permission of Tools4ever. DISCLAIMER - Tools4ever will not be held responsible for the outcome or consequences resulting from your actions or usage of the informational material contained in this user guide. Responsibility for the use of any and all information contained in this user guide is strictly and solely the responsibility of that of the user. All trademarks used are properties of their respective owners. www.tools4ever.com

Contents 1. Introduction 1 2. Architecture 1 2.1. SSRPM Service... 2 2.1.1. Fail Over / Redundancy... 3 2.2. Admin console... 4 2.3. Client software... 4 2.3.1. Enrollment Wizard... 4 2.3.2. Reset Wizard... 4 2.3.3. GINA/Credential Provider... 5 2.4. COM Object... 5 2.5. Webinterface... 5 2.6. Helpdesk Caller Identification... 5 2.7. Complete overview... 6 3. Index 7 Copyright Tools4ever 1998-2015 i

1. Introduction SSRPM consists of many components that communicate with one another. Some of these components also store (encrypted) information in a database or in files. This document describes all of the components of SSRPM, what kind of data is stored, the encryption used and the communication methods. 2. Architecture SSRPM consists of multiple components. This chapter describes these components and their relation to other components. Overview of components and their relation. Copyright Tools4ever 1998-2015 1

2.1. SSRPM Service The main component of SSRPM is the SSRPM Service. This service manages all of the connections with the clients as well as the connection with the SSRPM Database. The SSRPM Service may be installed on any server in the network. The MSSQL database does not need be be installed on the same machine. Communication The SSRPM Service communicates with the SMS Gateway over an HTTPS connection. The most important data stored by SSRPM service are the user answers. In order to store the data safely and to support certain functionality, the SSRPM service supports the following mechanisms to store the user answers in the database: Clear text MD5 SHA 256 (Default) Reversible encryption Clear text The answers are stored in the database as plain text. This option is not recommended. MD5 and SHA 256 hash The answers are stored in the database as a hash. It is not possible to reconstruct the original answer from a hash. It is recommended to use SHA 256 hashing as it is the most secure method. Reversible encryption The reversible encryption is based on the credentials of the SSRPM service account and uses 256-bit AES encryption. This option is required for the helpdesk caller identification functionality. Copyright Tools4ever 1998-2015 2

2.1.1. Fail Over / Redundancy SSPRM is designed so that it can be configured in a high availability situation.there are several mechanisms that may be used to achieve high availability. Offline mode The user clients can be configured so that they cache user and configuration data locally on the client machine. This allows users to logon using SSRPM even if the SSRPM service is not available. The functionality provided by the user client offline mode can also be used to service laptops that are not always connected to the company network. When the laptops connect to the network, they communicate with the SSRPM service to exchange data. This data is then stored locally so that the user can continue to use SSRPM when he/she works at home or another location. Multiple SSRPM Services Multiple SSRPM services may be installed to provide high availability in case of hardware failure on one of the servers that is running the SSRPM service. The clients will automatically connect to another server if the connection to the SSRPM service fails. Multiple SSRPM databases In combination with multiple SSRPM services multiple Databases may be used. The databases must run on a MSSQL server and replicate the data stored in the database to the other SSRPM databases. The configuration guide contains a step by step guide on how to configure an MSSQL server for replication. Copyright Tools4ever 1998-2015 3

2.2. Admin console Administrators can use the admin console to install and manage the SSRPM service. The admin console communicates with the SSRPM Service using secure RPC connection. The encryption method used by the secure RPC connection depend on the security settings of the domain. The minimal encryption used is 128 bit RC4 encryption. 2.3. Client software The client software consists of three components: 1. Enrollment wizard 2. Reset Wizard 3. GINA/Credential Provider 2.3.1. Enrollment Wizard The enrollment wizard is installed on the workstations. The end user can use this application to enroll in SSRPM. It also checks periodically if a user is enrolled, if the user should re-enroll and (if applicable) if the data in the local cache is up-to-date. The local cache is only used for the offline logon functionality. If this functionality is not enabled, no data stored in the local cache. Local Cache The local cache contains all the information required to perform a offline logon. This includes profile and user data. The data stored in the local cache is stored as binary data and is encrypted using the local system account using Windows Data Protection which use 256 bit AES encryption. On top of that, the answers are additionally encrypted with the unencrypted answer or hash as salt. This means that the answers can only be decrypted if you already have the answer. The enrollment wizard communicates with the SSRPM Service using secure RPC connection. The encryption method used by the secure RPC connection depend on the security settings of the domain. The minimal encryption used is 128 bit RC4 encryption. 2.3.2. Reset Wizard The reset wizard is installed on the workstations. The end user can use this application to reset his/her password or unlock his/her account. Local Cache The local cache contains all the information required to perform a offline logon. If the reset wizard can't connect to the SSRPM service it will look in the local cache if it can perform an offline logon. The reset wizard communicates with the SSRPM Service using secure RPC connection. The encryption method used by the secure RPC connection depend on the security settings of the domain. The minimal encryption used is 128 bit RC4 encryption. Offline SMS If the SMS authentication is enabled and required during the offline logon procedure, the reset wizard will try to connect to the SMS Gateway over an HTTPS connection and the transmitted data will be encrypted using 128 bit RC4 encryption. Copyright Tools4ever 1998-2015 4

2.3.3. GINA/Credential Provider SSRPM includes two types of GINA's/Credential providers, the standard GINA/Credential provider and the offline GINA/Credential provider. Standard The standard GINA/Credential provider is installed on the workstation with the enrollment- and reset wizard. It doesn't use the local cache nor does it communicate with the SSRPM service. Offline The offline GINA/Credential provider needs to be installed on the workstation separately, in addition to the client software. It also doesn't communicate with the SSRPM service, but it does cache credentials for the offline logon procedure. The cached credentials are encrypted using 256 bit AES encryption. 2.4. COM Object The COM object is typically used by the web interfaces of SSRPM. The COM object communicates with the SSRPM Service using secure RPC connection. The encryption method used by the secure RPC connection depend on the security settings of the domain. The minimal encryption used is 128 bit RC4 encryption. 2.5. Webinterface It is recommended to install the web interface on a separate server, especially if it can be accessed from outside the network. The end user can use the webinterface to enroll in SSRPM, to reset his password or to unlock his account. The end user communicates with the webinterface using HTTPS. The webinterface uses the COM-object to communicate with the SSRM Service. 2.6. Helpdesk Caller Identification The administrator can use this web interface to determine if the end users knows the answers to his challenge questions without finding out the whole answer. This functionality requires that the SSRPM service stores the user's answers using reversible encryption. However the answers are only decrypted by the SSRPM service and never leave the SSRPM service. The end user communicates with the webinterface using HTTPS. The webinterface uses the COM-object to communicate with the SSRM Service. Copyright Tools4ever 1998-2015 5

2.7. Complete overview Copyright Tools4ever 1998-2015 6

3. Index A Admin console 4 Architecture 1 C Client software 4 COM Object 5 Complete overview 6 E Enrollment Wizard 4 F Fail Over / Redundancy 3 G GINA/Credential Provider 5 H Helpdesk Caller Identification 5 I Introduction 1 R Reset Wizard 4 S SSRPM Service 2 W Webinterface 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information